mod_proxy is very powerful , but when it comes to security I wouldn't use it use it to protect another server as it had some problems in the past .
The whole idea of putting a reverse proxy to protect a web server is that the proxy server doesn't have anything besides a small engine to fetch the data from the inside server (if configured right) thus making it less vulnerable to attacks , in combination with a strict iptables ruleset it is relativly secure. Another tip , if you intend on using dynamic pages , make sure you set the cache to 0 . :) TheOg ----- Original Message ----- From: "Alejandro Flores" <[EMAIL PROTECTED]> To: "Security" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Wednesday, February 19, 2003 8:53 PM Subject: Re: Securing a webserver through reverse proxy? > Hi, > > I have implemented some time ago, something like this, but using > apache. Apache has a proxy module, that makes apache work as a proxy for > a hole site, or just some directories (this module does much more...). I > mean, you can have an exposed webserver (apache), and when someone issue > an GET /somedir/ apache will download http://othersite.../somedir/ and > show it to you. > The httpd.conf will have something like this on your virtualhost > directive: > > ProxyPass /somedir/ http://othersite/somedir/ > > So, you can have an apache webserver running on the internet, and > mapping some directories to your internal IIS or wherever webserver you > have. > > Hope you can understand something! > > Regards, > Alejandro > > > > Greetings, > > > > I've read about a way to secure webservers, which must not be directly > > exposed to the Internet, using a reverse proxy, e.g. MS ISA Server or > > Squid on a UNIX box. > > > > Now my question would be: Has anyone experience with that? Is it really > > more secure (compared to firewalling and port forwarding)? Is the MS ISA > > Server Webpublishing rule (which implies reverse caching) doing an > > application layer filtering or does it just the mentioned caching? Can a > > Squid reverse proxy solution fulfill that too? > > > > If not, what are the steps necessary to accomplish this? > > > > Your input is appreciated. > > > > -- > > Jonas Nagel <[EMAIL PROTECTED]> > > > > > >
