andan andan wrote: > We have a security doubt: Should we install Varnish inside or outside > firewall?
I run varnish on a many linux boxes with Netfilter default log and drop rules and have not seen a performance problem. > For better performance, we consider that the best choice is outside, > but for > obvious security reasons, the better is putting it into a DMZ. This depends on your particular environment. What kind of hardware are you using? What kind of firewall is it? How much traffic can the firewall handle? How much traffic do you usually see to the backend server? Where is the backend server located? What is your reason for using a reverse proxy? What is the expected hit ratio on the cache? What kind of content are you delivering? Do you have any network operations tasks that require you to collect data from the server in a fashion that requires it to be behind the firewall? If the backend server is through the firewall, it could be beneficial to have your varnish box outside the firewall and you could restrict access to the backend server to only the varnish servers ip or an internal ip on a seperate network. Then run iptables or ipfw on the varnish server itself > Any suggestions? Somebody has Varnish outside the firewall? I have found no reason to not use ipfw or iptables on deployed servers, the benefit in my opinion out weighs the performance loss. With a minimal ruleset the performance impact is so small its hard to measure until you reach huge packets per second, or connections a second ( assuming your hardware isn't a few years away from collecting a pension ). I have never seen a production box reach the limits of iptables packets per second because whatever process is on the box ( apache, varnish, squid, mysql, etc ) will have long ago melted down into a pile of smoldering ruin, due to high load and iptables performance becomes irrelevant. --Dave _______________________________________________ varnish-misc mailing list [email protected] http://projects.linpro.no/mailman/listinfo/varnish-misc
