Yes but, if the website is using css and js from other domains, the web servers don't pull the css and js from the Internet and resend it the client. The client pulls the web page from your server using HTTP, processes the HTML, sees the CSS and JS links to other domains and then loads the CSS and JS from those domains (servers). Even that is actually irrelevant, because CSS and JS are severed up just like HTML, as normal HTTP requests, so if you host those locally, they are just more files.
If you are building reverse proxy for a public website, then you only need two access rules (HTTP allow all, HTTPS allow all). Then you setup pass though rules to pass HTTP and HTTPS to the reverse proxy server. I'd suggest that you see if the Proxy plugin works for your situation. It does reverse proxy and has mod_security, which has built-in filtering/security checks for web traffic. If you are trying to do DDOS protection, then you need to put the router and reverse proxy servers at data center with lots of bandwidth. Putting the Reverse Proxy server on the same network feed as the web server will not migrate the bandwidth denial features of a DDOS attack. Also, I would suggest that you might think about conceptualizing the project in term of what you want rather than how would you re-implement a system using open source to replace one for one the expensive proprietary tools that exist on the market (Cisco, Juniper, watchguard, F5, Barrcuda). How you protect a network of web servers is quite different that how you would protect a network of desktop computers. Walter On Mon, Apr 14, 2014 at 12:17 PM, Oğuz Yarımtepe <[email protected]>wrote: > > The problem with this setup is, what will happen if the website is using > some css, js files from other domains? Adding a rule for each of these > domains will be painfull after a while i assume. But on the other hand, i > will be using this reverse proxy node as the first entry point to my DDoS > protection network, so not sure whether DPI is a good thing here or not. > > > On Sat, Apr 12, 2014 at 11:40 PM, Walter Parker <[email protected]> wrote: > >> How about configuring the firewall to block everything and then then >> create a rule that forwards/allows only port 80 and 443 to the reverse >> proxy server. Configure the reverse proxy server to only support HTTP >> traffic (on port 80 and using SSL on 443). Then you don't need to do DPI. >> I'd say you don't actually need to filter the traffic to the reverse proxy >> server if you pick one that that can be configured to only support HTTP >> traffic. >> >> >> > _______________________________________________ > List mailing list > [email protected] > https://lists.pfsense.org/mailman/listinfo/list > -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis
_______________________________________________ List mailing list [email protected] https://lists.pfsense.org/mailman/listinfo/list
