Security – Will a reverse proxy in front of web server improve security

isa-serverPROXYreverse-proxySecurity

Third-party security professional is recommending we run a reverse proxy in front of the web server (all hosted in the DMZ) as a best practice security measure.

I know this is a typical recommended architecture as it provides another level of security in front of a web application to prevent hackers.

However, as a reverse proxy is cheerfully shuttling HTTP back and forth between the user and the internal web server, it will not provide any measure of prevention of hacking on the web server itself. In other words, if your web app has a security hole, the proxy is not going to provide any meaningful amount of security.

And given that the risk of an attack on a web application is much much higher than that of an attack on the proxy, is there really much gained by adding an extra box in the middle? We would not be using any of the caching capabilities of a reverse proxy – just a dumb tool to shuttle packets back and forth.

Is there something else I'm missing here? Has reverse proxy HTTP packet inspection got so good it can detect meaningful attacks without major performance bottlenecks, or is this just another example of Security Theater?

Reverse proxy is MS ISA fwiw.

Best Answer

Apache has mod_security, which will detect common security attacks. There is also mod_cband, which can restrict bandwidth used. I wouldn't be surprised if ISA had something similar. Without something actually making checks on the HTTP traffic as it goes through the proxy, it's all a little pointless from a security point of view.

What a reverse proxy will give you is load balancing, fail-over, caching, SSL and filering off-loading, leaving your web servers to do what they're good at: serving HTML.

Related Solutions

Nginx – How to Set Up as a Caching Reverse Proxy

I don't think that there is a way to explicitly invalidate cached items, but here is an example of how to do the rest. Update: As mentioned by Piotr in another answer, there is a cache purge module that you can use. You can also force a refresh of a cached item using nginx's proxy_cache_bypass - see Cherian's answer for more information.

In this configuration, items that aren't cached will be retrieved from example.net and stored. The cached versions will be served up to future clients until they are no longer valid (60 minutes).

Your Cache-Control and Expires HTTP headers will be honored, so if you want to explicitly set an expiration date, you can do that by setting the correct headers in whatever you are proxying to.

There are lots of parameters that you can tune - see the nginx Proxy module documentation for more information about all of this including details on the meaning of the different settings/parameters: http://nginx.org/r/proxy_cache_path

http {
  proxy_cache_path  /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
  proxy_temp_path /var/www/cache/tmp; 


  server {
    location / {
      proxy_pass http://example.net;
      proxy_cache my-cache;
      proxy_cache_valid  200 302  60m;
      proxy_cache_valid  404      1m;
    }
  }
}

Reverse proxy setup in ISA Server

You should be able to do that using different subfolders in your web publishing rules.

This Microsoft TechNet article explains the details and has some walk-throughs for ISA Server 2004:

Web publishing provides you detailed control over access to content. Web publishing rules are rich in features, including the following:

Mapping requests to specific internal paths. You can limit the portions of your servers that can be accessed.

Restricting access to specific users, computers, or networks. You can restrict access, to further improve security.

Requiring user authentication. User authentication can be passed through to the Web server, eliminating the need to reauthenticate at the Web server.

Providing link translation. You can handle links to internal servers.

Providing SSL bridging. You can encrypt traffic between the ISA Server computer and the Web server.

Search for this section:

Publishing Web server folders on the Internal or perimeter network to one domain name

You can publish specific folders on a Web server on the Internal network or on a perimeter network. In this scenario, both folders are published to the same domain. For example, you want to publish the \news folder to www.fabrikam.com/news, and the \updates folder to www.fabrikam.com/updates.

For ISA Server 2006 there is this article (or as Word file here), which explains the options you have for publishing. Search for "Web Publishing Rule Properties" and "Path Mapping" inside the document.

Related Topic