Use reverse proxy technology to protect Web servers
In order to increase the security of the network and protect important data on the internal network, the internal network needs to be isolated from the Internet, and this is currently mainly mainly due to firewall technology. However, in order to protect the internal host, the firewall software must limit the access to the host on the internal network in the external network. Therefore, in the setting of ordinary firewall software, the external network cannot access the internal host. However, in order to post own information, you need to allow external networks to access your own web server. The simplest processing method is to place the web server outside the firewall so that the web server and internal network areas are separated. The web server is exposed to the outside of the network, which is possible to attract attacks, resulting in potentials such as server paralysis or web pages. problem. At present, the information above the web server is increasingly rich and important, and the importance of the web server is also very obvious. Therefore, you need to use a firewall to protect it. If you want to put the web server within the firewall, you need to support the firewall. There are two main types of firewalls, one for package filtering firewall, which recognizes whether it meets the filtering rules set by the administrator for each IP package, which is in line with certain requirements. The filtering rules that can be used include the names of the source and destination host and the IP address, port address, the network interface used, and the type of IP package. Usually the flip-filtered firewall software protects the internal network according to the type of the IP packet. If you want to put the web server within the fire wall, you will need to allow access to this web server and the TCP port it uses. Another type of firewall is an application agent-type firewall, which provides the corresponding proxy service for each application protocol, access the network by the proxy server, and returns the result to the client. The standard HTTP protocol proxy service, the client's browser must configure the IP address of the proxy server, and other external hosts are not required to reset the address of the proxy server for hosts accessed on this internal network. The proxy server does not distinguish the external network and internal network, but the proxy server uses the name resolution on the Internet to determine the location of the web server, and the internal address is usually used in the firewall, which also determines the ordinary agent firewall does not support external network to internal Web The HTTP access request of the server. Therefore, the normal proxy server simply blocks access to external addresses, so the simplest way to protect the web server of the external publishing information is to use a flip-filtered firewall. Once the host in the external network is allowed to initiate a connection request to the internal network, the attacker can attempt to connect outside the network, which increases the way the attacker attacks the internal network, which reduces the security factor of the entire network. If the external host is not allowed to initiate a connection request to the internal network, the attacker has to initiate an attack, using Trojan horse or IP spoof, these methods have no ready-made tools for initiative, and therefore The complexity of the attack is greatly increased, so the possibility of the network is greatly reduced, almost impossible. Once the attacker enters the web server in the internal network, the entire internal network is exposed to the attacker, and the firewall cannot play a role. Therefore, by redefining the filtering rules of the package filter type firewall, and put the web server in the internal network, it is just a simple way to protect the web server, but it is not conducive to protecting the security of the entire internal network. Therefore, in order to protect the security of the Web server and the internal network, the currently used safer is to implement a double firewall. Outer firewall implementation package filtering function, but allows external networks to access the web server, the internal firewall allows the most intermediate internal network to access external networks. It is called a ceramic area between the external firewall and the internal firewall, which provides an external network access server is located in this area, indicating that even if the attacker enters this area through the external firewall, it is impossible to attack the internal network. The double-layer firewall has provided the internal network more secure by setting two firewalls.
