Re: how to secure backend server ?
On Tue, 2 Jan 2001, darren chamberlain wrote: Oleg Bartunov ([EMAIL PROTECTED]) said something to this effect on 01/02/2001: You can explicitly bind an apache server to localhost. This works only if frontend and backend are on the same physical server. But it will not works even in this situation if you have several proxies running while you want backend accepts requests only from one specific proxy. Bind an address on the 192.168.0 net as an alias on a real interface: RFC 1918 says that you should choose a random network on one of the private subnets: 10/8 172.16/12 192.168/16 But yes, using a private network is a good solution. [explanation of ifconfig] And then bind another address on the same private subnet to an interface on another machine, and they can talk to each other via this network (set the route correctly as well, naturally). This interface will be invisible from the 'net. Unless you are unlucky and it is found to be routable. You ought to drop these three at your firewall anyway. but modperl!=NANOG :) However, it is unlikely to route to your machine... MBM -- Tell me, O Octopus, I begs, / Is those things arms, or is they legs? / I marvel at thee, Octopus; / If I were thou, I'd call me us. -- Ogden Nash
Re: how to secure backend server ?
On Tue, 2 Jan 2001, Oleg Bartunov wrote: Hi, I have implement standard fe-be scheme as many times discussed in this list and described by Stas in his guide. Sorry, if I don't understand something simple. Everything works but I get a problem with securing my backend server - I want backend accepts requests only from my frontend. I have in backend's conf file: Directory "/db1/w3/comps/discovery" Options FollowSymLinks ExecCGI Includes MultiViews AllowOverride All Order deny,allow Deny from all Allow from MY_PROXY_IP /Directory Forget that, add the rule to your firewall. Its a far better place to manage these kinds of rules. -- Matt/ /||** Director and CTO ** //||** AxKit.com Ltd ** ** XML Application Serving ** // ||** http://axkit.org ** ** XSLT, XPathScript, XSP ** // \\| // ** Personal Web Site: http://sergeant.org/ ** \\// //\\ // \\
Re: how to secure backend server ?
At 03:02 PM 1/2/01 +, Matt Sergeant wrote: On Tue, 2 Jan 2001, Oleg Bartunov wrote: Hi, I have implement standard fe-be scheme as many times discussed in this list and described by Stas in his guide. Sorry, if I don't understand something simple. Everything works but I get a problem with securing my backend server - I want backend accepts requests only from my frontend. I have in backend's conf file: Directory "/db1/w3/comps/discovery" Options FollowSymLinks ExecCGI Includes MultiViews AllowOverride All Order deny,allow Deny from all Allow from MY_PROXY_IP /Directory Forget that, add the rule to your firewall. Its a far better place to manage these kinds of rules. I am not sure, but I suspect it may be possible to distinctly bind to 127.0.0.1 and thus disallow any external IP address listening for extra measure. The default for apache is to bind to every IP on the system promiscuously which you don't want on a BE server. Of course, you will need the firewall method if the BE server actually is on a physically separate machine from the FE server. Where security is concerned, it's not always the best idea to solely depend on firewall rules if you can help it... In case one gets misconfigured at least you have a 2nd one. Anyway, unless your mod_rewrite rules on the FE server are doing something other than blindly proxying all requests to the BE server, I am not sure whether the BE server is actually any more secure because of the reverse proxy. What attack could be made on the BE server directly that could not be made through just tunneling the same request through mod_rewrite on the FE server? eg Are you filtering for "passwd" in the URL with your rewrite rules?
Re: how to secure backend server ?
Oleg Bartunov ([EMAIL PROTECTED]) said something to this effect on 01/02/2001: You can explicitly bind an apache server to localhost. This works only if frontend and backend are on the same physical server. But it will not works even in this situation if you have several proxies running while you want backend accepts requests only from one specific proxy. Bind an address on the 192.168.0 net as an alias on a real interface: bash# /sbin/ifconfig -a lo0: flags=849UP,LOOPBACK,RUNNING,MULTICAST mtu 8232 inet 127.0.0.1 netmask ff00 hme0: flags=863UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST mtu 1500 inet 200.200.200.200 netmask ff00 broadcast 200.200.200.255 ether 8:0:20:a2:e1:84 bash# /sbin/ifconfig le0:7 192.168.0.7 up bash# /sbin/ifconfig -a lo0: flags=849UP,LOOPBACK,RUNNING,MULTICAST mtu 8232 inet 127.0.0.1 netmask ff00 hme0: flags=863UP,BROADCAST,NOTRAILERS,RUNNING,MULTICAST mtu 1500 inet 200.200.200.200 netmask ff00 broadcast 200.200.200.255 ether 8:0:20:a2:e1:84 hme0:7: flags=843UP,BROADCAST,RUNNING,MULTICAST mtu 1500 inet 192.168.0.7 netmask ff00 broadcast 192.168.0.255 bash# And then bind another address on the same private subnet to an interface on another machine, and they can talk to each other via this network (set the route correctly as well, naturally). This interface will be invisible from the 'net. (darren) -- Life is full of misery, loneliness, and suffering - and it's all over much too soon. -- Woody Allen
Re: how to secure backend server ?
On Tue, 2 Jan 2001, Gunther Birznieks wrote: Date: Tue, 02 Jan 2001 23:41:01 +0800 From: Gunther Birznieks [EMAIL PROTECTED] To: Matt Sergeant [EMAIL PROTECTED], Oleg Bartunov [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: how to secure backend server ? At 03:02 PM 1/2/01 +, Matt Sergeant wrote: On Tue, 2 Jan 2001, Oleg Bartunov wrote: Hi, I have implement standard fe-be scheme as many times discussed in this list and described by Stas in his guide. Sorry, if I don't understand something simple. Everything works but I get a problem with securing my backend server - I want backend accepts requests only from my frontend. I have in backend's conf file: Directory "/db1/w3/comps/discovery" Options FollowSymLinks ExecCGI Includes MultiViews AllowOverride All Order deny,allow Deny from all Allow from MY_PROXY_IP /Directory Forget that, add the rule to your firewall. Its a far better place to manage these kinds of rules. I am not sure, but I suspect it may be possible to distinctly bind to 127.0.0.1 and thus disallow any external IP address listening for extra measure. The default for apache is to bind to every IP on the system promiscuously which you don't want on a BE server. Well, is it possible to tell apache to bind only one IP which is explicitly writen in Listen command ? Interesting, that I see right IP of proxy when I print environment but when request comes to backend I see wrong IP in $r-connection-remote_ip ! Also, in my original post I wrote that on my observation request passes twice access control - the first with proxy IP address (passes ok by configuration) and the second one with original client's IP which failes also by configuration. And this cause the problem. Does this correct behaivour ? In my understanding PerlPostReadRequestHandler is in the beginning of lifecycle of request. Of course, you will need the firewall method if the BE server actually is on a physically separate machine from the FE server. Where security is concerned, it's not always the best idea to solely depend on firewall rules if you can help it... In case one gets misconfigured at least you have a 2nd one. Anyway, unless your mod_rewrite rules on the FE server are doing something other than blindly proxying all requests to the BE server, I am not sure whether the BE server is actually any more secure because of the reverse proxy. What attack could be made on the BE server directly that could not be made through just tunneling the same request through mod_rewrite on the FE server? eg Are you filtering for "passwd" in the URL with your rewrite rules? True security is to pull out network cable :-) Now I have academic interest to understand what I've seen. regards, Oleg _ Oleg Bartunov, sci.researcher, hostmaster of AstroNet, Sternberg Astronomical Institute, Moscow University (Russia) Internet: [EMAIL PROTECTED], http://www.sai.msu.su/~megera/ phone: +007(095)939-16-83, +007(095)939-23-83