Hi all,
I am in the midst of moving five of our sites on to a LVS cluster. This creates some new needs for security due to the fact that some of the sites are internal and some are external. I am running Redhat Advanced Server 2.1 with Piranha handling the LVS. I am running Apache 1.3.27 with PHP 4.2.3 Here is what I am trying to do:
The internal sites cannot be accessible externally... as it stands a simple entry into a "hosts" file will probably allow someone to enter.
If a user bookmarks a page they can re-access that page without logging in. It really will not do them much good but it is a security issue none the less.
... Anyone have any suggestions?
John M
Login, Security, and the like
Moderator: General Moderators
One idea may be to have all internal web sites served at a different port. Say, port 7483 for example, then have your firewall not allow traffic in on that port.
However, the cluster managers, or whatever they're called using Pirannah, are forwarding requests to the appropriate servers based on ? The reason I ask is becuase in the setup we use, using Turbo Cluster 6, the cluster manager forwards a request to the correct server based on the port it's coming in on. Port Forwarding. So, if the cluster manager were to see incomming traffic on port 5801 (assuming it got past the firewall), it would do nothing with it as there are no services it recognizes using that port.
Therefore, if internal web sites listen at a different port, they'll never see traffic from the outside world.
Another possibility. I don't know if it's possible, but using .htaccess, is it possible to only allow access from particular netowrks? So if your internal LAN network is 192.168.52.0, then set .htaccess to only traffic for addresses on that network.
Ultimately, there are a ton of options here, but much of it depends on how the LVS cluster managers are setup to route traffic through the system.
Cheers,
BDKR
However, the cluster managers, or whatever they're called using Pirannah, are forwarding requests to the appropriate servers based on ? The reason I ask is becuase in the setup we use, using Turbo Cluster 6, the cluster manager forwards a request to the correct server based on the port it's coming in on. Port Forwarding. So, if the cluster manager were to see incomming traffic on port 5801 (assuming it got past the firewall), it would do nothing with it as there are no services it recognizes using that port.
Therefore, if internal web sites listen at a different port, they'll never see traffic from the outside world.
Another possibility. I don't know if it's possible, but using .htaccess, is it possible to only allow access from particular netowrks? So if your internal LAN network is 192.168.52.0, then set .htaccess to only traffic for addresses on that network.
Ultimately, there are a ton of options here, but much of it depends on how the LVS cluster managers are setup to route traffic through the system.
Couldn't (or shouldn't) this depend on things like the data that's passed to the page when the user accesses it? With my sites, some joe could log in, then bookmark, only to find that when he tries to get in later, his session is no longer valid, and therefore see's a "Go login" message of some sort.If a user bookmarks a page they can re-access that page without logging in. It really will not do them much good but it is a security issue none the less.
Cheers,
BDKR