Recherche dans le site/ Search this Blog:

Login



Using apache as a reverse-proxy with mod_proxy and vmware to replicate a secure large corporation environment Imprimer

Apache logo

In this article, we will review how to set up a secure and efficient environment. Logically, it is comparable to the setups used in large corporations like banks, governments, military, insurance companies etc. We will do this using a single computer with 4GB RAM, apache mod_proxy in reverse proxy mode and the freely available vmware-server. All products used in this setup are either open-source or available for free. The hardware cost of such a system should be around 1300$. There is no software cost.

  • Dual core computer ~800$
  • 4 GB RAM ~280$
  • 2 X 200 GB hard drive in raid 1 (mirroring mode total space avail: 200GB) ~240$
  • Total : 1360$

 

Naturally, any security expert will tell you that logically separated isn't as good as physically separated so we are not pretending that this kind of setup matches the big corporation setups security-wise. Nevertheless, it is close enough given the cost involved. First let's look at a typical setup in a big corporation :

 

Big corporation web server setup

The above setup has the following advantages :

  • All accesses to given URLs through HTTP requests can be controlled from a single point with ACLs.
  • All HTTPS / TLS traffic can be handled centrally at the reverse-proxy level. It is common to see the reverse proxy equipped with a pieces of hardware called SSL accelerators. The goal of the accelerator is to offload CPU intensive encryption activities to dedicated hardware.
  • All logging can be kept centrally.
  • The apache reverse-proxy is quite secured. No applications run on it so it is less likely to get compromised.
  • Enables one to run less secure applications on some back-end server located on a different subnet and to restrict connectivity to that server in case it gets compromised. One thing that would come to mind would be restricting the ability to send mail just in case the server gets compromised by some zombie bots used by spammers. Note that most popular open-source PHP applications have major security holes in them. This is due to the nature of the language and its origins. By contrast, J2EE applications are in general much more secure and they are used in many corporate environments. So the least one can do is keep its PHP applications up to date with the latest security fixes and segregate them on dedicated servers.

Now here is how we can replicate this setup at low cost:

Vmware setup

Notes :

  • Only a single computers is used is this setup
  • Vmware allows you to define several different virtual subnets and you can control them with Linux iptables. This gives you the ability to replicate virtually as many subnets and as many many firewalls as you need at no additional cost.
  • Given the throughput of computers today, this will give pretty good performance and it can be used without problems in production environment.
  • This is far better than piling up all kinds of applications on the same server.

Virtual subnets example in Linux :

eth0 Link encap:Ethernet HWaddr 00:98:5D:99:E6:71
inet addr:197.226.98.12 Bcast:197.226.98.255 Mask:255.255.255.0
inet6 addr: e899::205:5d78:e828:e910/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3718522 errors:0 dropped:0 overruns:0 frame:0
TX packets:3578333 errors:0 dropped:0 overruns:0 carrier:0
collisions:19725 txqueuelen:1000
RX bytes:1091227678 (1040.6 Mb) TX bytes:1196347247 (1140.9 Mb)
Interrupt:12 Base address:0xcda0

eth1 Link encap:Ethernet HWaddr 00:18:31:56:B8:A0
inet addr:10.10.1.38 Bcast:10.10.1.255 Mask:255.255.255.0
inet6 addr: e880::217:31ff:e823:b49a/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115999934 errors:0 dropped:0 overruns:0 frame:0
TX packets:105277162 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:3178822108 (3031.5 Mb) TX bytes:2563089678 (2444.3 Mb)
Interrupt:11 Base address:0xff23

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:3040615 errors:0 dropped:0 overruns:0 frame:0
TX packets:3040615 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1863352506 (1777.0 Mb) TX bytes:1863352506 (1777.0 Mb)

vmnet1 Link encap:Ethernet HWaddr 00:87:34:AB:C0:01
inet addr:10.10.88.1 Bcast:10.10.88.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1745811 errors:0 dropped:0 overruns:0 frame:0
TX packets:2204687 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vmnet3 Link encap:Ethernet HWaddr 00:87:34:AB:C0:03
inet addr:10.10.40.1 Bcast:10.10.40.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:393973 errors:0 dropped:0 overruns:0 frame:0
TX packets:443809 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vmnet4 Link encap:Ethernet HWaddr 00:87:34:AB:C0:04
inet addr:10.10.41.1 Bcast:10.10.41.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:4/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vmnet5 Link encap:Ethernet HWaddr 00:87:34:AB:C0:05
inet addr:10.10.42.1 Bcast:10.10.42.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vmnet6 Link encap:Ethernet HWaddr 00:87:34:AB:C0:06
inet addr:10.10.43.1 Bcast:10.10.43.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:6/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vmnet7 Link encap:Ethernet HWaddr 00:87:34:AB:C0:07
inet addr:10.10.44.1 Bcast:10.10.44.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:7/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

vmnet9 Link encap:Ethernet HWaddr 00:87:34:AB:C0:09
inet addr:10.10.45.1 Bcast:10.10.45.255 Mask:255.255.255.0
inet6 addr: e880::250:56ff:e8da:9/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

Apache reverse proxy configuration :

 LoadModule proxy_http_module modules/mod_proxy_http.so
 <IfModule mod_proxy.c>
# IMPORTANT SETTING: Off , otherwise everybody will be able to use your server as a relay!!!
ProxyRequests Off
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/var/lib/apache/proxy"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a-domain.com another-domain.edu joes.garage-sale.com
 </IfModule>
# End of proxy directives.
 <VirtualHost 197.226.98.12:80>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

ServerName php1.oc9.com
DocumentRoot /var/lib/apache/htdocs/
ServerPath /php1/
ErrorLog "| rotatelogs logs/%Y_%m_%U_%d_%H_%M_%S.php1-error_log 86400 -300"
CustomLog "| rotatelogs logs/%Y_%m_%U_%d_%H_%M_%S.php1-access_log 86400 -300"
UserDir disabled

ProxyPass / http://php1.oc9.com/
ProxyPassReverse / http://php1.oc9.com/

</VirtualHost>

<VirtualHost 197.226.98.12:80>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

ServerName perl.oc9.com
DocumentRoot /var/lib/apache/htdocs/
ServerPath /perl/
ErrorLog "| rotatelogs logs/%Y_%m_%U_%d_%H_%M_%S.perl-error_log 86400 -300"
CustomLog "| rotatelogs logs/%Y_%m_%U_%d_%H_%M_%S.perl-access_log 86400 -300"
UserDir disabled

ProxyPass / http://perl.oc9.com/
ProxyPassReverse / http://perl.oc9.com/

</VirtualHost>

<VirtualHost 197.226.98.12:80>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

ServerName www.oc9.com
DocumentRoot /var/lib/apache/htdocs/
ServerPath /
ErrorLog "| rotatelogs logs/%Y_%m_%U_%d_%H_%M_%S.jsp-error_log 86400 -300"
CustomLog "| rotatelogs logs/%Y_%m_%U_%d_%H_%M_%S.jsp-access_log 86400 -300"
UserDir disabled

ProxyPass /jsp/ http://jsp.oc9.com:8080/oc9/
ProxyPassReverse /jsp/ http://jsp.oc9.com:8080/oc9/

</VirtualHost>
 
Commentaires / Comments (3)
Visrtualhost reverseproxy
1 vendredi, 23 mai 2008 04:18
qwerty keyboard
Hello,

I have 2 machines 1 server, 1 workstations and a DNS(www.sigenaulit.com) who is pointing to server 1.

[quote] machine 1 : www.walangalam.com
machine 2 IP: 192.168.0.2[/quote]

using reverseproxy i have the [b]www.walangalam.com/yw[/b] working with a (www.walangalam.com apache)config of:

[quote] ProxyPass /yw http://192.168.0.2/yw
ProxyPassReverse /yw http://192.168.0.2/yw[/quote]

[color=red]My problem now is how can I publish http://192.168.0.2/yw from www.sigenaulit.com?[/color]

I tried a lot of format in [b][/b] but it seems that i can't find threads to solve the problem.

Thanks for your help.
re: Visrtualhost reverseproxy
2 samedi, 24 mai 2008 22:22
Alain Côté

Hi,

I am not sure that I understand what you are asking right, but here is the config I would use to make http://192.168.0.2/yw/ available on both www.walangalam.com/yw/ and www.sigenaulit.com/yw/ :


<VirtualHost YOUR_EXTERNAL_IP:80>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
ServerName sigenaulit.com
ServerAlias www.sigenaulit.com
DocumentRoot /usr/local/apache/htdocs/sigenaulit.com
ServerPath /
ErrorLog "| /usr/local/apache/bin/rotatelogs /usr/local/apache/logs/%Y_%m_%U_%d_%H_%M_%S.sigenaulit.com_error_log 86400 -300"
CustomLog "| /usr/local/apache/bin/rotatelogs /usr/local/apache/logs/%Y_%m_%U_%d_%H_%M_%S.sigenaulit.com_access_log 86400 -300" combined
UserDir disabled

ProxyPass /yw/ http://192.168.0.2/yw/
ProxyPassReverse /yw/ http://192.168.0.2/yw/

</VirtualHost>

<VirtualHost YOUR_EXTERNAL_IP:80>
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]
ServerName walangalam.com
ServerAlias www.walangalam.com
DocumentRoot /usr/local/apache/htdocs/walangalam.com
ServerPath /
ErrorLog "| /usr/local/apache/bin/rotatelogs /usr/local/apache/logs/%Y_%m_%U_%d_%H_%M_%S.walangalam.com_error_log 86400 -300"
CustomLog "| /usr/local/apache/bin/rotatelogs /usr/local/apache/logs/%Y_%m_%U_%d_%H_%M_%S.walangalam.com_access_log 86400 -300" combined
UserDir disabled

ProxyPass /yw/ http://192.168.0.2/yw/
ProxyPassReverse /yw/ http://192.168.0.2/yw/

</VirtualHost>

Cheers,

 

Alternative steps
3 vendredi, 22 novembre 2013 13:14
Job Veenstra
To use Apache HTTP Daemon for SSL offloading in a proxy situation, you can find more information in a blog by a collgeau: http://www.invantive.com/about-invantive/news/entryid/926/ssl-offloading-voor-apache-tomcat

Ajouter votre commentaire / Add your comment

Votre nom / Your name:
Sujet / Subject:
Commentaire:
SPAM: Ne pas inclure de lien ou utiliser le stratagème suivant: "yahoo.com slash mapage.html"     Nous utilisons un filtre qui bloque les commentaires suspects avec une erreur 403. De même, du code de programmation ou sql peut provoquer des erreurs 403. Veuillez utiliser un lien vers votre code tel que: "pastebin.com slash jVNqLieD"    Merci!
Comment:
SPAM: Do not include any links in your post or use the following construct: "yahoo.com slash mypage.html"    We are using a filter that denies suspicious posts with a 403 error. Programming language or SQL code may also cause a 403 error. Please provide a link to your code instead like: "pastebin.com slash jVNqLieD"    Thank you! :
  Lettres de vérification; lettres minuscules seulement, pas d
Retaper les lettres affichées / Word verification:
Mis à jour / Last updated ( samedi, 15 décembre 2007 21:39 )
 



Consultez TOUS nos fils d'actualité ici. / View ALL our newsfeed here.