On Thu, Aug 19, 2021 at 7:47 AM Bill Woodcock <woody@pch.net> wrote:
4. Does that mean I need a big Web Application Firewall (WAF)
Absolutely not. I have no idea what a Web Application Firewall is, but if it’s anything like it sounds like, I wouldn’t let one anywhere near anything I was responsible for securing.
Hi Bill, A WAF is a filtering reverse-web proxy. It can sanitize incoming requests to obstruct hacking against the web server. It's often used for TLS offload as well since it must decrypt the traffic anyway. You give the "real" web server RFC 1918 addresses and put a WAF on the public IP addresses. It also tends to break web sockets, so there's a capability penalty if you use one. A WAF is the second-best answer to Pirawat's problem since it can filter web requests which arrive without an acceptable "Host" header, corresponding to the DNS name the browser used. The best answer is: don't do that. If you have such little trust for your web staff, replace them with trustworthy people. Regards, Bill Herrin -- William Herrin bill@herrin.us https://bill.herrin.us/