Thank you for all replies. How to handle back-end server down? Is it kind of load balancing or CDN?
On Thursday, March 11, 2021, 04:45:35 PM GMT+3:30, James Smith <j...@sanger.ac.uk> wrote: 1> If the server you are proxying to is unavailable - due to a server error or reconfiguration - the front end should display a custom error page - rather than display the error page generated by the backend server 2> There are other reverse proxies out there - there is the community version of the Pulse Secure vADC, and also nginx etc 3> Yes to do the proxying - but it is often easier to put a first level of security on the frontend (reduces risk/increases performance) especially if the backend server is a heavier dynamic server. 3> And another if you are proxying multiple backend servers then you can put the security settings on the frontend - no need to duplicate across all servers. You can also add/remove headers on the way in/out. -----Original Message----- From: Jason Long <hack3r...@yahoo.com.INVALID> Sent: 11 March 2021 12:21 To: users@httpd.apache.org Subject: Re: [users@httpd] What should be considered about the reverse proxy server? [EXT] Hello, Can anyone answer to my questions? 1- What does "handle backend server down" mean? 2- Can I launch a Reverse Proxy without Apache Web Server? 3- In general, an Apache Reverse Proxy Server is just some lines to forward the requests? On Wednesday, March 10, 2021, 09:47:03 AM GMT+3:30, Jason Long <hack3r...@yahoo.com.invalid> wrote: Thank you so much. Thus, The Front end and Back end servers are same about the security. What does "handle backend server down" mean? On Tuesday, March 9, 2021, 04:30:01 PM GMT+3:30, James Smith <j...@sanger.ac.uk> wrote: Yes - you should harden the front-end as this is what is likely to be compromised by general attacking. Run SSL, run a static server & proxy server, set security headers, handle backend server down, handle http -> https redirects, handle basic auth (you can have a general rule for wordpress admin URLs as a 2FA) Drop certain requests by: * connection types if you don't want them trace/track/options etc, * IP address if you can't get to firewall settings, * suspicious/malfunctioning useragents, * particular paths that are general attack vectors, hide URLs that are likely to be tmp files (.files,.bak,.swp etc) -----Original Message----- From: Dino Ciuffetti <d...@tuxweb.it> Sent: 08 March 2021 22:33 To: users@httpd.apache.org Subject: Re: [users@httpd] What should be considered about the reverse proxy server? [EXT] > <VirtualHost *:80> > ProxyPreserveHost On > ProxyPass / > https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF > aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM > 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp > VMdJLGMUlwvi1kmWkjEy3I8Lo&e= ProxyPassReverse / > https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF > aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM > 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp > VMdJLGMUlwvi1kmWkjEy3I8Lo&e= > </VirtualHost> > I have some questions: > > 1- the real work of a proxy server is just that lines? It's OK if you only have one backend HTTP worker without load balancing and no HTTPS. If you need load balancing (advised!) and HTTPS on the reverse proxy (much advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl and mod_proxy_balancer. I also recommend you to enable some logging (error_log and access_log) on your virtualhost. > 2- The real configuration of the web server must be done on the > another server? Consider below > figure: > > The Internet --> Reverse Proxy Server --> Apache Web Server > > The SSL configuration and other Apache hardening and configuration > must be done on the Apache Web Server and not the Reverse Proxy Server? Don't know what you mean for "the real configuration". You'll need to configure the apache reverse proxy node as a reverse proxy, and the backend HTTP worker as a backend HTTP worker. Please remember that a apache httpd reverse proxy node works at Layer 7 (Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg wordpress, static pages, js, css, etc) must be implemented on your backend workers and the reverse proxy will publish those contents to your clients. BTW HTTPS must be terminated on the reverse proxy. The security hardening must be enforced on both nodes. Rreverse proxy is generally directly exposed on outside, so it obviously needs more attentions. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
