Yes - you should harden the front-end as this is what is likely to be compromised by general attacking. Run SSL, run a static server & proxy server, set security headers, handle backend server down, handle http -> https redirects, handle basic auth (you can have a general rule for wordpress admin URLs as a 2FA) Drop certain requests by: * connection types if you don't want them trace/track/options etc, * IP address if you can't get to firewall settings, * suspicious/malfunctioning useragents, * particular paths that are general attack vectors, hide URLs that are likely to be tmp files (.files,.bak,.swp etc) -----Original Message----- From: Dino Ciuffetti <dino@xxxxxxxxx> Sent: 08 March 2021 22:33 To: users@xxxxxxxxxxxxxxxx Subject: Re: What should be considered about the reverse proxy server? [EXT] > <VirtualHost *:80> > ProxyPreserveHost On > ProxyPass / > https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF > aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM > 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp > VMdJLGMUlwvi1kmWkjEy3I8Lo&e= ProxyPassReverse / > https://urldefense.proofpoint.com/v2/url?u=http-3A__Server-2DIP&d=DwIF > aQ&c=D7ByGjS34AllFgecYw0iC6Zq7qlm8uclZFI0SqQnqBo&r=oH2yp0ge1ecj4oDX0XM > 7vQ&m=A-n01hERkO2BCYwz58LWxkrK8XnNfDCbrpwT3NQskeo&s=dHkAYqLpDAYoBz--Rp > VMdJLGMUlwvi1kmWkjEy3I8Lo&e= > </VirtualHost> > I have some questions: > > 1- the real work of a proxy server is just that lines? It's OK if you only have one backend HTTP worker without load balancing and no HTTPS. If you need load balancing (advised!) and HTTPS on the reverse proxy (much advised!) you'll need to configure your reverse proxy virtualhosts with mod_ssl and mod_proxy_balancer. I also recommend you to enable some logging (error_log and access_log) on your virtualhost. > 2- The real configuration of the web server must be done on the > another server? Consider below > figure: > > The Internet --> Reverse Proxy Server --> Apache Web Server > > The SSL configuration and other Apache hardening and configuration > must be done on the Apache Web Server and not the Reverse Proxy Server? Don't know what you mean for "the real configuration". You'll need to configure the apache reverse proxy node as a reverse proxy, and the backend HTTP worker as a backend HTTP worker. Please remember that a apache httpd reverse proxy node works at Layer 7 (Application -> HTTP/HTTPS) and not a Layer 4 (eg TCP). Your HTTP contents (eg wordpress, static pages, js, css, etc) must be implemented on your backend workers and the reverse proxy will publish those contents to your clients. BTW HTTPS must be terminated on the reverse proxy. The security hardening must be enforced on both nodes. Rreverse proxy is generally directly exposed on outside, so it obviously needs more attentions. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx -- The Wellcome Sanger Institute is operated by Genome Research Limited, a charity registered in England with number 1021457 and a company registered in England with number 2742969, whose registered office is 215 Euston Road, London, NW1 2BE. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|