Hi! On Sun, Jun 22, 2008 at 10:26 AM, howard chen <howachen@xxxxxxxxx> wrote: > Hi all, > > I am not sure if anyone think about this before. > > Consider a traditional setup for today web applications: > > > User <==> Squid(s) <==> Apache(s) <==> MySQL / Memcached / NFS > > > Currently I have mod_security installed on every Apache to prevent > attacks such as SQL Injection, XSS ect. > > Sure, as a web application firewall, you would need more features then > mod_security currently provided, e.g. > > 1. rate-limiting, e.g. limit your user from accessing register.cgi for > not more than 1 time per minutes (against spam or application level > DOS) > 2. Block user by IP, subnet > 3. Block by request header, e.g. UA, cookie I must assume by "user" you mean "browser/computer accessing the application", not an "application authenticated" user. for 1: maybe iptables + l7filter ( http://l7-filter.sourceforge.net/ ). for 2: iptables, yup, plain iptables. for 3. not sure... but maybe iptables + l7filter too. > > Of course I am not going to ask to merge all this features into squid, > but I want to ask if it is feasible to develop all these feature as a > external program, and squid will pass the needed info to a program > similar to a redirector (or maybe just using redirector concept). > > I am just not sure if it is suitable to perform all these actions at > squid layer. > > Howard > Ildefonso.
