Вопросы Теги

Каковы преимущества безопасности использования прокси-сервера?

У меня нет htaccess, но так как я сделал это на Nginx некоторое время назад, я могу, по крайней мере, дать Вам сценарий удара. Я сканирую каталог (и его подкаталоги) и gzip перечисленные типы файлов. Это также повторно создает gzip, когда источник более свеж.

#! /bin/bash
# jve - 2011
# this script checks a list of directories for a list of extensions and
# generated gzipped versions of the files that are found
# if the modification date of a file is newer than its gzipped version
# then the gzip file is regenerated

#     specify a filetype like *.css or a filename like index.html
# leave one space between each entry
FILETYPES="*.css *.jpg *.jpeg *.gif *.png *.js *.html"

# specify a list of directories to check recursively
DIRECTORIES="/var/www/nginx_default/*"

for currentdir in $DIRECTORIES
do
   for extension in $FILETYPES
   do
      find $currentdir -iname $extension -exec bash -c 'PLAINFILE={};GZIPPEDFILE={}.gz; \
         if [ -e $GZIPPEDFILE ]; \
         then   if [ `stat --printf=%Y $PLAINFILE` -gt `stat --printf=%Y $GZIPPEDFILE` ]; \
                then    echo "$GZIPPEDFILE outdated, regenerating"; \
                        gzip -9 -f -c $PLAINFILE > $GZIPPEDFILE; \
                 fi; \
         else echo "$GZIPPEDFILE is missing, creating it"; \
              gzip -9 -c $PLAINFILE > $GZIPPEDFILE; \
         fi' \;
   done
done

ссылка на исходную статью здесь: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:nginx:nginx_performance_tuning

1
задан 10 January 2014 в 14:04
1 ответ

Webservers such as IIS, Apache, Tomcat and others that serve applications have a very large base of source code. This means that there is plenty of room to find security exploits as well as many other less harmful bugs. The exploits are often published on mailing lists such as those available through http://www.securityfocus.com/.

Proxy servers such as nginx are often "thinner", with smaller source code bases thatn the application web servers, and therefore have a smaller attack surface. Some exploits in IIS or Apache or other application web servers can therefore be masked by a proxy server that either does not have the same exploit or that can filter requests to prevent access to the exploit on the end server.

The proxy server can run on a minimal OS, such as a custom Linux filesystem that has very few services and executables on the filesystem other than the proxy server, so that if someone does manage to find an exploit in the proxy, there aren't enough executables in the proxy's OS (possible not even a shell program) to take advantage of the exploit. This is much safer than exposing a full-featured, general purpose OS to the Internet. Full featured OS's often have many exploits and usually need to have a full complement of utilities and shells in order to provide the desired service.

In general, the rate of exploit detection for application servers and full-featured operating systems together is much higher than the rate for the commonly used proxy servers and their OS's, so a proxy can buy you time to fix a back-end application server or OS vulnerability.

Although Wikipedia states "it does not provide any protection to attacks against the web application", in fact some proxy servers can perform HTTP request re-writing or filtering that can go a long way to preventing SQL injection and CSS attacks.

3
ответ дан 3 December 2019 в 18:48

Теги

Похожие вопросы