0

I have never deployed a reverse proxy before and i was wondering if it is mandatory from a security perspective, to ensure only authenticated requests reach my web application server past the DMZ?

My web application server which runs linux tomcat stack, has all the mandatory security and firewall infrastructure and can authenticate its own requests. We just dont want to host it in the DMZ since it does not always run the latest OS or tomcat instance.

Googling "reverse proxy best practices" or "reverse proxy security best practices", did not turn up any recommendations to mandatorily enable authentication at the proxy.

What are the guidelines on this and what is generally practiced in the field ? I would appreciate all answers and especially so from folks who have actually deployed reverse proxies in a security conscious environment like banks etc ...

Thanks in advance.

Improve this question
4
  • Note : We are considering making these nodes in the LAN reachable via their individual host names via SAN SSL certificates applied to the proxy server so that there is less load on the proxy to perform hostname translations and such in the HTML content. Commented Apr 3, 2020 at 8:31
  • Thanks to all those who answered. I guess I am looking for a definitive reasoning as to why an unauthenticated request traversing past the firewall destined for my web services is not construed as a security risk in any manner ? Commented Apr 3, 2020 at 19:35
  • I dont believe that unauthenticated requests are not construed as a security risk - however reverse proxies, while useful as part of a security model, are not designed to do handle authentication. To the extent they wpuld be doing authentication in excess of basic/digest auth - which is a thing of the distant past - they are not designed to handle authentication as its app specific. I put to you that it is a best practice is to consider security in layers and accept that the proxy layer does not cover authentication. Commented May 17, 2021 at 20:03
  • Oh thank you. Since they make it possible to perform basic/digest and possible oauth/sso authentication i would have thought that is a standard procedure. I will raise a seperate question on how people avoid the DoS scenarios here. Commented May 18, 2021 at 1:59

3 Answers 3

Reset to default
1

I think there is no general guideline on that topic. I have set up multiple reverse proxies in different areas and sometimes used authentication and sometimes not, heavily depending on the actual use case.

From your question

My web application server which runs linux tomcat stack, has all the mandatory security and firewall infrastructure and can authenticate its own requests.

i would deduce that authentication in your proxy would not make a lot of sense when your server is already doing that. Including authentication in your reverse proxy makes sense when you want to create a secure connection between a client and otherwise unsecure server. When your server already is secure, i do not see any reason to add another layer of security.

I have never deployed a reverse proxy before and i was wondering if it is mandatory from a security perspective

It is definitely not mandatory. It is of course good practice to secure resources which would otherwise be totally open. So, of your server is already 'secure' and authenticating requests, i would not add another authentication instance.

Improve this answer
0

I worked for many years as an Infrastructure engineer for a company on the fringe of Th banking industry moving around large sums of money between lots of people.

Our systems designs never required authentication from the proxys, although these were not externally reachable (ie behind NAT), although there was user authentication happening in the app.

This setup was never an issue, and there were a number of audits from external auditors, and external experts, in addition to internal scrutiny- no one ever brought this up as a potential issue.

Maybe relevant questions to help clear your mind, as the answers can differ depending on deployment and may inform your decision -

  1. What is the consequence of a user bypassing the reverse proxy? Why is the proxy the best place to secure against the threat?

  2. How can the systems behind the secure proxy be reached and is there a more appropriate place to put the end nodes? Does it make sense to secure the proxies in ways other then authenticating them?

Improve this answer
8
  • Unaccepted the answer as i found that not having security at the proxy means that invalid requests can now travel all the way to the server to cause a DoS situation Commented May 14, 2021 at 12:55
  • Iam guessing the reason this setup was never in issue in your particular scenario was because the proxy was never directly exposed to the internet ? Commented May 15, 2021 at 7:13
  • @Computinglife of-course the proxy was directly exposed to the Internet. The configuration of a reverse proxy really depends on your application. I expect the standard model (for example for a service which is authenticated in an application available over HTTPS) is for the application to do authentication, in which case the authentication requests need to get to the application. I would argue that as soon as you start doing authentication/intrusion protection on a proxy type device it is no longer a proxy, it is more a WAF (web application firewall) - which is not what you asked about. Commented May 15, 2021 at 7:32
  • Also, how are you defining "invalid request". If a request is not a valid HTTP(s) request - ie its targetted at a different protocol - it won't get through the proxy. It seems to me you are looking for the proxy to be more then just a proxy - which is OK, but not what your question stated. Commented May 15, 2021 at 7:42
  • I meant “invalid” to mean invalid authentication, which is the same as the question asked. Iam sorry I did not make it more clear. I ran a test with 2 models, one where the authentication was enforced at the proxy and another where the request was send all the way upto my server within the internal network. So what happens here is that the proxy auth puts zero load on the server but with the other model, the attack is easily able to bring it down, depending on how inefficient your auth is. Tomcat with its thread per request model is woefully inadequate. Commented May 16, 2021 at 8:44
0

A consequence of an unauthenticated reverse proxy is that complete set of requests that hit the proxy pass up the network transparently to the upstream server. Though this might fail to authenticate, it can be used as DoS attack on the server.

DDOS - Attacks on upstream servers

Depending on your implementation, (in our case it was) the proxy can be more efficient or take this load off your upstream server to fail the invalid requests and thus allow the upstream server to be more available to other clients. This is especially true if the reverse proxy is not the only ingress point for requests to the server in question or if there is an efficiency difference between the proxy and your upstream server. (eg nginx with lua vs tomcat)

DOS - Attack on the proxy

When authentication is done upstream, the proxy has to do MORE work (2-3 systems call atleast) to read and write data to send and recieve all the requests to/from upstream. Hopefully your authentication done at the proxy is lighter. If so, sending all this spurious data upstream, EVEN if it does not cause your upstream to fail, will cause the proxy to be much more loaded and cause a DOS on the proxy & will affect all other services exposed using the same proxy.

All this traffic which travels upstream, will also likley put a pressure on the proxy -> upstream link, especially this is not over LAN, depending on the size of the attack

Reacting to vulnerabilities

A proxy setup is much fewer number of boxes to manage, compared to say an upstream solution which runs on scores of VM's or boxes. If the core infrastructure for the solution has a vulnerability, the proxy without authentication just exposed your entire org to a zero day vulnerability, since these sort of solutions cannot be patched in a day, let alone convincing the companies to release a patch. However the proxy is entirely under the IT control and can be patched immediately to prevent any further vulnerabilities. The proxy effectively is a HUGE step up in security, if kept patched and uses authentication at the edge.

Risk of Open Proxy

A typical problem with proxies is that misconfigurations sometimes creep in, thus allowing the proxy to expose unintended upstream servers or locations. Without an authentication, this proxy thus starts acting like an open reverse proxy which is a real threat to the corporate LAN & even the general internet, since that is used by bad actors to hide their actual locations for attacks on other targets. Open proxies (wrt redirects) are considered to be universally bad.

By ensuring your reverse proxy has authentication, the risk of creating an open proxy becomes much more smaller.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.