Vincent Bray wrote: > I'm a bit confused by your terminology. From what I understand a > transparent proxy is the kind which is put in front of clients by > dodgy ISPs (such as my own) to perform things like caching and > nanny-filtering, without having to properly configure a proxy in the > user's browser. Yup - that's a transparent *forwarding* proxy. > Again I'm not sure what topography you're refering to. If it's a > reverse proxy, then yes apache should expect the request to be > directed at itself. Transparent (or interception) proxies are meant to > be hidden from the user and the server, but of course aren't because > they mask things like connection and DNS errors. > Many commercial WAFs offer this - they call it "bridge mode". Basically it means you can plug it in front of your backend servers (after it's appropriately configured of course) and it will transparently intercept all HTTP and HTTPS traffic meant for the backend servers - and then only forward the sanitized queries to them. They normally have one of those network cards that basically cause the box to become a wire on failure - one form of DR. Nice thing is it requires no network topology changes to operate. > ... you're going to need several ip/port combinations > with their own vhosts anyway, so you can use ProxyPass with the > correct host name (or, depending on how you're arranging your DNS, > using ProxyPass with the IP address of the backend along with the > ProxyPreserveHost directive set). > > Yup - been there done that :-) That all works fine - but it means your WAF becomes the single point of failure - as all clients terminate on it. So you need to look at HA options (e.g. heartbeat) to remediate. > It sounds to me like your config is trying to be too clever, but then > I'm probably missing the point :-) > Nope - I think I am trying to be too clever :-) In the past 24 hours I've come back to the more standard RP option. The problem with "transparent/bridging" is that the WAF basically has to be directly in front of the servers to protect. But what if you've got multiple DMZes/etc? Unless you're willing to put it right out in front of your Internet edge, you are probably looking at needing multiple WAFs, or reorganizing your network anyway. And the DR of becoming a wire isn't really DR - I mean you've just lost a security device. So ignore me - I'm back on track with the more standard Apache reverse proxy model - with heartbeat :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|