Tuesday, August 6, 2013

Taking reverse proxy functionality into account within your software architecture

Within the Java project I am currently working on we had to deal with lots of security related questions and challenges.

The project itself is a Java project created with the following stack:
- Spring MVC (Controller)
- Apache Wicket (frontend)
- Spring / Spring Data / Apache CXF (Business & Service Layer)
- Hibernate (Model)

The application itself is deployed within a high-available environment.

One of a list of system architectural decisions we made was to handle all of our SSL trafic not within the application servers itself (using apache mod_ssl), but instead move it to the load balancer which is placed within the DMZ and actual acting as a reverse proxy.

This design has several advantages, both technical and from a maintenance point of view:

  • The SSL certificates and private keys are centralized on the reverse proxy service which simplifies key management. Not every application server within your application server cluster has to be polluted with SSL code and logic. In this way the responsibility and maintenance of this PKI management stuff can most of the times also move from project to hosting provider of your application.
  • The proxy server can terminate the SSL handshake and traffic from the proxy server to the application server cluster can be done using plain HTTP. This will lead to an improved performance of your application logic.
  • Upgrades of application servers can be done more easily. Switching to a new application server only requires reconfiguring the reverse proxy server to point to the new application server.
  • Improved security of your total application landscape when using a reverse proxy within a DMZ.
The message what I want to address is that you have to look further than only your software architecture environment, and also take the total system architecture including DMZ into account!!!!

15 comments:

  1. Nice article!

    I think another advantage is that you can put all the other application servers behind the DMZ. So from a security perspective this is also what you want.

    ReplyDelete
  2. i am discussing an easy way to start blocked websites whenever i want and any website i want to start without using any third celebration application because some time its difficult to set up any application due to limitations now i can start any obstructed website from pc by simply clicking
    VK proxy

    ReplyDelete
  3. Thank you for sharing. The goal of Maintenance Management Software is to stop the insanity that frustrates and bring detailed, useful information to those who must make a decision in a quick, intuitive manner.

    ReplyDelete
  4. Thank you for the information and Unblock Proxy is fast anonymous proxy server, we unblock facebook, unblock youtube, unblock myspace, unblock all sites with this fast free web proxy server.

    ReplyDelete
  5. Thank you for share this article proxy website it's easy for unblock a lot of site

    ReplyDelete
  6. Thanks to share this article they help really to unblock youtube and other social netwroks which is restricted in our area due to some reasons. without this i not using youtube from last few months but its really help in my studies to watch online video lectures and tutorials.

    ReplyDelete
  7. very informative blog and I want to share fast proxy link which can access restricted site in seconds, when i got this link then try browsing through the result with test hopefully success.It is working fine with blocked site you can use this link just click

    KickAssTorrents UK proxy

    ReplyDelete
  8. Merci beaucoup pout ce magnifique tuto j'apprecie et merci une autre fois
    et voila je vous presente un proxy website :faceb11k

    ReplyDelete
  9. WOW!! Very informative blog and useful article. Please visit this site if you want more detail.
    FileCrop UK proxy

    ReplyDelete