WebApp Sec mailing list archives
Re: Reverse Proxy Server?
From: Bob Lee <crazybob () crazybob org>
Date: Tue, 27 May 2003 16:27:42 -0500
On Tuesday, May 27, 2003, at 11:50 AM, Don Felgar wrote:
You can also give the webserver in question a public IP address, put it behind a firewall, and configure the firewall to allow access to the necessary IP addresses only. This will work either with or without a VPN. This has the added benefit of excluding attacks on ports 80 and/or 443, but a drawback in that you must know in advance what IP addresses to allow. If you cannot know if advance what IP addresses to let through, you can authenticate the client on a public webserver, and upon success poke a hole in the firewall for that specific IP address and then redirect the client. Incidentally a drawback to port-forwarding type schemes is that all traffic appears to originate from a single IP address from the point of view of the webserver, reducing the utility of logfiles. I don't know of Squid reverse proxy has this effect or not. Don't learn this the hard way as I did. --Don
Trusting IP addresses is not a very safe or scalable practice. You have NAT, dynamic IPs, ARP poisoning, etc.
Bob
Current thread:
- Reverse Proxy Server? Dean Thompson (May 27)
- Re: Reverse Proxy Server? Bob Lee (May 27)
- Re: Reverse Proxy Server? Stig Palmquist (May 27)
- Re: Reverse Proxy Server? Don Felgar (May 27)
- Re: Reverse Proxy Server? Bob Lee (May 27)
- Re: Reverse Proxy Server? Don Felgar (May 28)
- Re: Reverse Proxy Server? Bob Lee (May 28)
- Re: Reverse Proxy Server? Bob Lee (May 27)
- Re: Reverse Proxy Server? Dean Thompson (May 28)
- <Possible follow-ups>
- RE: Reverse Proxy Server? Dawes, Rogan (ZA - Johannesburg) (May 27)
- RE: Reverse Proxy Server? Aaron Goldsmid (May 27)
- Re: Reverse Proxy Server? Neil Kohl (May 27)
- RE: Reverse Proxy Server? Harry Chemin (May 27)