One of the most popular ways of implementing a proxy or reverse-proxy server is to use the Apache mod-proxy module. By setting up a very stripped-down server (running Linux would be ideal) and using
Apache with
mod-proxy, you can build a very inexpensive and secure proxy server.
Here is an example of what to put in the Apache httpd.conf file of your reverse proxy server:
This setup disables the forward proxy so it can’t be hijacked. Then, it remaps all incoming WWW requests to the inside server (
999.888.111.212). (The inside server could have been set to a non-standard port to make it even more secure.)
Here is an example of some ACL statements for a
CISCO firewall that permits only the communication from the proxy server (
999.888.1.211) to the inside Web server (
999.888.111.212) and denies all other traffic:
NAT is a service that is commonly built into firewalls that remaps all traffic coming from the inside network to a single outbound source address. Systems that provide
NAT also often provide virtual servers or services. This technology remaps all packets destined for a certain port and addressed to the firewall to specified servers inside the firewall. Basically, this is a lot like a reverse proxy server only configurable for multiple applications.
If you want the ultimate in security for a select group of customers, you can implement a VPN
. On your end, you need either a hardware or software based VPN concentrator. The clients (your customers) would have to have
VPN client software loaded on their computer and you would have to give them a
VPN login
ID and password. Once they have authenticated to the
VPN concentrator, their client computer would be essentially inside your network on a virtual circuit. All traffic would then be encrypted as it passes along the virtual tunnel across the Internet. You would connect your Web server to the other side of the concentrator using a separate network card in the server so that the concentrator would not be connected directly to your main network.
The Secure Sockets Layer protocol is a protocol layer which may be placed between a reliable, connection-oriented network layer protocol (e.g. TCP/IP) and the application protocol layer (e.g.
HTTP).
SSL provides for secure communication between client and server by allowing mutual authentication, the use of digital signatures for integrity, and encryption for privacy.
You can run mod_ssl or
Apache_SSL to provide your end users with a secure 128-bit encrypted link to your site. Both of these use
OpenSSL to provide
SSL v2/v3 and
TLS v1.
Now, the file cert.csr can be sent to the certificate authority, if they can handle files in
PEM format. If not, use the extra argument
-outform followed by the keyword for the format to use.
Running SSL means that clients will have to connect to your server using the
https:// protocol over port 443 rather than the normal port 80. Connecting to port 443 happens automatically when using
https:// in a standard Web browser.
To set this up, you will need to download OpenSSL then either
mod_ssl or
Apache-SSL. You will then need to acquire a security certificate from one of the signing agencies, such as Verisign. In order to get one of these certificates, you will have to prove to the signing authority exactly who you are. By doing this, everybody can be assured that connecting to an
SSL enabled site is truly secure.
Here is a 15-minute procedure (for testing only!) to set up an
SSL-aware
Apache Web server under
/usr/local/apache/ and using
mod_ssl. This procedure provides you with some hands-on experience in setting this up before you apply this knowledge to your main server.
The one thing to note when using SSL is that it will require more processing power then regular
http because all transactions must be encrypted/decrypted.
There are also several applications that can help you such as Tripwire, Snort and
Honey Pots.
Honey Pots are essentially systems that are placed in your
DMZ which have only basic security, but no real useful data on them. Their only purpose is to attract the attention of would-be hackers and lure them in. You can then track and log their progress for later prosecution.
Tripwire software is a tool that checks to see what has changed on your system. The program monitors key attributes of files that should not change, including binary signature, size, expected change of size, etc. Tripwire is originally known as an intrusion detection tool, but can be used for many other purposes such as integrity assurance, change management, policy compliance and more.
Snort (aka
The Piggy) is a comprehensive packet-analyzing intrusion-detection system (
IDS). And
ACID is a
PHP-based analysis engine to help you search and analyze your
IDS logs.
