Re: Reverse Proxy Server?

[Don Felgar <dfelgar () rainier-infosys com>]

On Tue, May 27, 2003, Dean Thompson wrote:
> I hope this is the right place to post this...
>
> We develop numerous internal web applications that we occasionally need to 
> publish to customers.  In very sensitive scenarios, we will force them to 
> use a VPN to connect.  In others, we just publish a server/app beyond the 
> firewall.  I would like to see a solution that could handle both scenarios 
> easily, and would not require that I put multiple servers or apps outside 
> the firewall.
>
> My thoughts were to use something like what Anonymizer 
> (http://www.anonymizer.com) does.  Essentially, it just forwards requests 
> for you, and returns the information to you.  So, if someone out there went 
> to http://mydomain.com and logged in, they could then go to 
> http://mydomain.com?server=someserver (or something like that).  Does 
> anyone out there know of a tool like this that is already available?  I 
> would prefer a Windows platform, but 'nix is acceptable.
>
> Thanks,
> Dean

You can also give the webserver in question a public IP address, put
it behind a firewall, and configure the firewall to allow access to
the necessary IP addresses only.  This will work either with or
without a VPN.  This has the added benefit of excluding attacks on
ports 80 and/or 443, but a drawback in that you must know in advance
what IP addresses to allow.

If you cannot know if advance what IP addresses to let through, you
can authenticate the client on a public webserver, and upon success
poke a hole in the firewall for that specific IP address and then
redirect the client.

Incidentally a drawback to port-forwarding type schemes is that all
traffic appears to originate from a single IP address from the point
of view of the webserver, reducing the utility of logfiles.  I don't
know of Squid reverse proxy has this effect or not.  Don't learn this
the hard way as I did.

--Don