Hi All,
Is it posable to use apache as a web forwarder? what i want to do is have a linux box in the dmz that will relay mail and web requests in to the LAN mail to the exchange and web on to a box with apache.

if this is posable will this be a good security model? if someone trys to exploite the web forwarder in the dmz the request will 'not' be passed to the web server in the LAN?

its just that the webserver is running off the back of my file server, which for obvious reasons i do not want exposed in the dmz.

any advice will be great

many thanks

spikes

Clarify this statement a bit? I'm not sure what you're asking.:-|

Do you mean:

dmzbox -mail-> internal Exchange server
dmzbox -website-> web server

I wouldn't even bother with such a setup.

If you keep your box up-to-date with the latest versions of your MTA (mail transport agent) and apache, that will give you an edge. Also, you should read a tutorial on securing a webserver, like setting up permissions and configuring the server itself.

Apache is designed to work on the Internet, and it's also designed to be pretty secure. There's no reason why you couldn't have a fileserver/webserver box on the internet, "exposed" so to speak, and not have any problems. I'd look into setting up firewall rules, permissions, and closing any unneeded open ports that are facing the Internet side of the server. That should help.

sorry for the confusion,
what i am looking at doing is having one machine in the DMZ of my network that will pass on any port 25 traffic and any port 80 traffic to two seperate machines inside the LAN.

basicly i have the machine in the DMZ doing mail scanning for me then it relays everything that passes the tests to an exchange server in the LAN. what i am hopeing to add to this is a port 80 forwarder, the main reason being that the web server is also my main file store so i would like to keep it away from the outside world as much as possible.

with that said, i was hoping that if i had the forwarder in the DMZ then any attacks would be aimed at it instead of my file/web server.

any thourghts?

spikes

This sounds to me like simple port forwarding?

check out http://netfilter.org for ipchains/iptables depending on your kernel

Definitely, that setup is a good idea. If you do other things on those boxes, port forwarding is a good idea.

Do you currently have a broadband router? It will most likely do port forwarding. Otherwise, here are some HOWTOs to give you some ideas:

IP Masquerade on Linux
ipnat under FreeBSD
IPNAT under NetBSD

If you have a broadband router, it's pretty easy to do port forwarding. If you have an old box sitting around, throw a pair of NICs into it, and build a router yourself. Personally, I like using the BSDs. I'm a fan of Free and NetBSD, as their NAT setups are pretty straightforward to configure, especially given that their online docs are pretty easy to follow.

yea sounds like i'm on for the port forward. at the moment everything is sitting behind a smoothwall so i can forward from there. i guess what i was looking in to was 'can you use apache in a front-end / back-end set up?' but i think the port forward may be the most strait forward idea.

cheers for the help,

spikes