Welcome! Log In Create A New Profile

Advanced

Question about reverse proxies and WAFs

Francisco V.
April 24, 2016 11:36PM
Hi all,

How are you?

First of all excuse my english as it is not my mother tongue.

I'd like to ask a rather general question which is not nginx specific:
In my new job they use an Apache webserver running mod_proxy as a
reverse proxy that works as the single entry point from the outside
for all the apps that work in the LAN. That is, the webserver is in
DMZ when they need an app published outside, the networking guys give
permission on the firewall from the internal server to the DMZ reverse
proxy which in turn is NAT'ed to the internet.

That reverse proxy does two things:

First it encrypts traffic, or it seems so, that is: The vhost
listening on port 443 is the one that does all the proxy pass to the
backend servers, so if anyone points their browser to
https://outside-address/app they'd go directly to the appserver. But
if they to http://outside-address/app, using mod_rewrite, they're
redirected to https://outside-address/app.

And second, it runs mod_security with the OWASP rules to act as a Web
Application Firewall.

My question is this a good setup for a reverse proxy + WAF?

As far as I'm concerned if you hit directly port 443 and get
redirected to the app, no modsecurity inspection is made, because the
request is SSL encrypted, right? The only modsecurity inspection would
be when you hit port 80 and get your address rewritten to https, is it
true?

Also, I don't know if nginx does the same, but for requests to be
proxied by Apache it seems that they must share the URL pattern with
the app server, that is:

It seems that you CAN NOT proxy http://outside-address/my_app to
http://server_in_the_lan_hosting_my_app/ BUT you must do:

http://outside-address/my_app/ proxied to http://lanserver/my_app/ if
the URL part "my_app" isn't matched it won't redirect requests to the
backend. Is this correct?

And last, I'm writing this here because I tried to migrate this to
nginx once, but it kept crashing (Not even finishing to start up) with
the OWASP core rules.

Does it makes sense SSL rewrites/termination on a reverse proxy/WAF?

Can nginx handle proxing requests that won't match URL patterns? Like
I mentioned above?

Does anybody run nginx + OWASP rules for mod security?

Thanks in advance and sorry for the bothering,

Francisco
Buenos Aires
Argentina

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

Question about reverse proxies and WAFs

Francisco V. April 24, 2016 11:36PM

Re: Question about reverse proxies and WAFs

Robert Paprocki April 24, 2016 11:40PM

Re: Question about reverse proxies and WAFs

CJ Ess April 25, 2016 01:10AM

Re: Question about reverse proxies and WAFs

Robert Paprocki April 25, 2016 11:12AM

Re: Question about reverse proxies and WAFs

CJ Ess April 25, 2016 11:52AM

Re: Question about reverse proxies and WAFs

mex April 25, 2016 08:33AM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 162
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready