> So, my question is, what is unique/different/special about your reverse > HTTP proxy server compared to apache mod_proxy*?
Good question. First off I will make it clear that my proxy isn't feature complete. It is still a work in progress and I expect to add many new vertical features to it over the next year. I took a hard look at mod_proxy as the core of my product and decided to write my own. Here are the reasons. 1) Apache is a really great piece of software, but I feel it is burdened by its quest to be everything to everybody. This significantly increases the complexity of configuration. Also the run time module loading might be good for a general purpose application server, but it isn't optimal for a security server where control over running code is vital. 2) Since Apache is written as a generic application server it uses a thread/connection model which greatly simplifies (or complicates depending on your perspective) the programming mode for modules such as mod_perl. It difficult to scale this type of server up to wire speeds to serve multiple servers as proxy servers often must. I use a single threaded, event driven model which is on 2.6 kernels based on sys_epoll. sys_epoll can scale linearly to 10s of thousands of connections. Something Apache could never do. 3) I use a drastically different memory and resource management that is more well suited to a high availability proxy server. Basically I allocate all resources at start up. This prevents the server from failing to dynamically allocate memory, which is very difficult to recover from. The memory requirements of the server DO NOT change while the server is running. All memory allocation is determined by the configuration settings provided by the user. 4) I use a very stringent model of checking HTTP parameters. I give the user the ability to configure exactly how HTTP requests will be handled before entering the core of the network. It would take a lot of modifications to Apache to achieve this level of control over HTTP validation. 5) Honestly the Apache code isn't the easiest to read and understand coming from a 3rd party. The apr_bucket API is good example. I couldn't make myself comfortable with the implications of using mod_proxy. 6) But the biggest reason is that there is value in diversifing your server infastructure. For instance if you are using apache as an application server and a validating proxy, what happens if there is exploit found in the core HTTP processing in Apache? Basically both of your defensives have been broken. For more information on this you might want to read my article on network diversity which is here: http://www.baus.net/archives/000051.html. So any takers? Again I am willing to help anyone get started in setting up the proxy. Sincerely, Christopher _______________________________________________ RLUG mailing list [EMAIL PROTECTED] http://lists.rlug.org/mailman/listinfo/rlug
