Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 97184 invoked from network); 23 Jan 2008 11:41:08 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 23 Jan 2008 11:41:08 -0000 Received: (qmail 59357 invoked by uid 500); 23 Jan 2008 11:40:48 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 59344 invoked by uid 500); 23 Jan 2008 11:40:48 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 59333 invoked by uid 99); 23 Jan 2008 11:40:48 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Jan 2008 03:40:48 -0800 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [194.41.152.137] (HELO mx1.post.ch) (194.41.152.137) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Jan 2008 11:40:36 +0000 Date: Wed, 23 Jan 2008 12:40:28 +0100 From: Christian Folini To: users@httpd.apache.org Message-ID: <20080123114028.GA31424@w032y7.pnet.ch> References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.9i X-Virus-Checked: Checked by ClamAV on apache.org Subject: Re: [users@httpd] Reverse proxy security risks Hi-ho, I propose you go with the reverse proxy and install ModSecurity with the Core Rule set. That should be enough for a general level of security. However, you should keep an eye on the audit-logs of ModSecurity, as the core rules let many possible attacks pass, but say so in the audit log. (This can be adjusted, but could bring more false positives). Regs, Christian On Wed, Jan 23, 2008 at 11:24:18AM -0000, Paul Cocker wrote: > We have a helpdesk system which is accessed via HTTPS. However, the web > interface is handled via Apache Tomcat, which is shipped as part of the > product and therefore cannot be updated independently by us as this > could interfere with manufacturer patches and void our support. This > makes us nervous of offering access to this facility to anyone outside > the internal network. > > However, setting up a reverse proxy on a DMZ box is an option to us, but > I'm unsure as to whether this would mitigate the security concerns or > not of a web hosting tool which we don't have the ability to keep it > 100% up-to-date. > > I'm thinking this is ground we shouldn't tread, but I'm looking for > advice from those more experienced in reverse proxy. > > Paul > > > > > TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY. > > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org