httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christian Folini <christian.fol...@post.ch>
Subject Re: [users@httpd] Reverse proxy security risks
Date Wed, 23 Jan 2008 11:40:28 GMT
Hi-ho,

I propose you go with the reverse proxy and install ModSecurity
with the Core Rule set. That should be enough for a general
level of security. However, you should keep an eye on the 
audit-logs of ModSecurity, as the core rules let many possible
attacks pass, but say so in the audit log. (This can be adjusted,
but could bring more false positives).

Regs,

Christian

On Wed, Jan 23, 2008 at 11:24:18AM -0000, Paul Cocker wrote:
> We have a helpdesk system which is accessed via HTTPS. However, the web
> interface is handled via Apache Tomcat, which is shipped as part of the
> product and therefore cannot be updated independently by us as this
> could interfere with manufacturer patches and void our support. This
> makes us nervous of offering access to this facility to anyone outside
> the internal network.
> 
> However, setting up a reverse proxy on a DMZ box is an option to us, but
> I'm unsure as to whether this would mitigate the security concerns or
> not of a web hosting tool which we don't have the ability to keep it
> 100% up-to-date.
> 
> I'm thinking this is ground we shouldn't tread, but I'm looking for
> advice from those more experienced in reverse proxy.
> 
> Paul
> 
> 
> 
> 
> TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post
(Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709)
and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle
Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales;
registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7
1HY.
> 
> 
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
> 

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message