The 3 options we are considering are listed below. Which one is best or is there a better solution we didn't consider. All servers are linux with nginx. Do you see anything particularly wrong with either of them?
Additional clarification. The nginx php-fpm server will have open ports to sql sever and file shares hence the intermediate fire wall. In addition it may be required to transcode video so the reverse proxy server will load balance instances of the nginx php-fpm server.
1) Internet -> firewall -> nginx reverse proxy in DMZ -> firewall -> nginx php-fpm -> files & sql server
2) Internet -> firewall -> nginx php-fpm in DMZ -> firewall -> files & sql server
3) Internet -> firewall -> nginx reverse proxy in DMZ -> firewall -> nginx php-fpm -> vm firewall -> files & sql server
4) Internet -> firewall -> nginx reverse proxy in dmz -> vm firewall in dmz -> nginx php-fpm in dmz -> corporate fire wall -> files & sql server
Best Answer
Your DMZ should look like figure 6 from the below link. You should only have one firewall with a DMZ on a separate link/ vlan / and not routable to your internal except my specific IPs
INTERNET <------------> FireWall <---------->Internal Network
http://www.cisco.com/c/en/us/td/docs/security/security_management/cisco_security_manager/security_manager/3-3-1/configuration/example/ZBF_ConfigExample.html