Database Reference
In-Depth Information
While there are many good arguments for using reverse proxying in production envi‐
ronments, we will focus on the security aspect here. Many firewalls are capable of
restricting access to a server for specific ports and protocols, but few firewalls operate
at the application layer. A reverse proxy operates at the HTTP application layer (in
this case), which means that it can filter based on characteristics of the HTTP
requests.
The main security concerns for the reverse proxy server are:
Hiding the existence and characteristics of eXist from the client
The client should only see the reverse proxy server. Should this be a malicious
client and try to exploit the server directly, it will be exploiting the reverse proxy
server and not eXist. Another concern, perhaps, is to allow the reverse proxy
server to map an application or documents you have in eXist into your website's
URI space, so that it is not obvious to attackers that part of your website is run‐
ning in an application server (eXist)—for example, proxying the public URI
http://www.mywebsite.com/widgets/
to the private URI
http://my-exist-server:
8080/exist/apps/widgets/
.
Controlling (and limiting) access to eXist by the client
This allows you to limit which HTTP requests will reach eXist based on various
criteria such as URI, headers, and cookies. A useful example is to limit access to
the URIs
/exist/xmlrpc
and
/exist/webdav
, while allowing access to
/exist/apps
from your web users.
There are many options for reverse proxy servers, but two of the most popular ones
are the
Apache HTTP Server Project (Apache httpd)
and
Nginx
. Apache httpd is a
large, feature-rich, and very popular web server, an example of whose use is described
in
“Proxying eXist Behind a Web Server” on page 207
. Nginx (shown in
Example 8-2
) is
a modern, very lightweight, and incredibly fast web server. It is perfect if you are
looking for a reverse proxy for eXist because it is much simpler to install and config‐
ure than Apache httpd, lending it a smaller attack surface.
Example 8-2. Nginx configuration for reverse proxying eXist
proxy_set_header
Host
$host
;
proxy_set_header
X-Real-IP
$remote_addr
;
proxy_set_header
X-Forwarded-For
$proxy_add_x_forwarded_for
;
proxy_set_header
nginx-request-uri
$request_uri
;
server
{
listen
80
;
server_name
.mywebsite.com
;
charset
utf-8
;
access_log
/srv/www/vhosts/mywebsite.com/logs/access.log
;
location
/
{
proxy_pass
http://localhost:8080/exist/rest/db/mywebsite.com/
;
Search WWH ::
Custom Search