Re: Opinions on Security of Reverse Proxy

From: Bennett Todd (bet@rahul.net)
Date: Fri Jun 28 2002 - 10:42:53 EDT


2002-06-25-11:50:46 Andrews, Ryan:
> Here's a question for those conducting pen tests against reverse proxies:
> what are your opinions of reverse proxies?

Let's make sure we're talking about the same thing: a "reverse
proxy" is just a proxy fronting a server, where all clients talk to
the proxy rather than directly to the server, in contrast to the
normal proxy setup where a specific populations of clients go out
through a proxy to contact all servers.

Most of the time, reverse proxies are talked about for fronting HTTP
servers.

Sometimes they're security-neutral; e.g. sometimes, when people set
up servers on which it's very expensive to build pages, they'll slap
a squid in front of it simply to accellerate the server. There's not
typically any security implication one way or another to such an
implementation strategy.

A reverse proxy, in the context of security discussions, can
contribute to security by (a) limiting the exposure of the host,
just like any other firewall; and (b) doing some sanity-checking of
the actual HTTP content.

(a) is often what people focus on, but I think it's the less
interesting part of the picture. Yes, configuring a reverse-proxy in
front of a webserver may keep other unrelated ports (rpc, printer
services, network filesystems, etc) from being reachable; but that
same effect can be achieved with border routers, external firewalls,
software packet filtering used to harden the host, careful daemon
configuration, etc.

The big value add that a reverse proxy can add is meticulous
validation of the queries sent to the server. Naturally, this is
expensive to implement in proportion to the complexity of the site,
the more diverse the range of possible requests that the site can
service, the more complex the configuration required to describe all
legitimate requests to the reverse proxy, and hence the greater
temptation to short-cut the specification with over-general
descriptions.

The very best reverse proxy design would not only validate requests,
it would also reconstruct them from scratch, thereby automatically
blocking completely off-the-wall attacks like the recent Apache
chunked encoding bruhaha.

A nice, helpful feature in a reverse proxy would be the ability to
have it auto-configure itself. Then all you need is a good coverage
test for your website, and you can pull out a tight reverse proxy
config for free.

Now this is the pen-test group, so a meaty question is what do
reverse proxies mean to pen testers. Typically, they can be thought
of as firewalls (since they block access to other ports on the http
servers), with more or less (how tight is the URL-pattern tuning)
application-specific screening to block attacks.

-Bennett





This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:22 EDT