I have been receiving many queries from my industry peers regarding the best practice recommendations to securely deploy a web server. In many places the common observation was deploying the web server (i.e. Apache) database server (i.e. MySQL) in a single server. Server could be a physical machine or a virtual machine, they have deployed them in DMZ and have granted access to Internet users.
As best practice guidelines to securely deploy the web server, I recommend below implementations:
As best practice guidelines to securely deploy the web server, I recommend below implementations:
- 3-Tier Architecture is the most secure and scalable solution. Using this architecture the software is divided into 3 different tiers: Presentation tier, Logic tier, and Data tier. Each tier shall be developed and maintained as an independent tier with adequate level of security measures including relevant firewall protections in place.
- The best placement is to put the database servers in a trusted zone of their own.
- Inter-zone communication must be limited to the minimum required for service and monitoring purposes. Only inbound connection from web server to the database server shall be allowed and that shall be enforced at a firewall.
- Reverse-proxy accepts untrusted connections from the internet, can only connect to services on application servers. A reverse-proxy, Apache+mod_security/varnish/nginx/WAF/whatever, shall be run in the proxy zone and also load-balancing/failover shall be added here if needed too.
- Load balancers can be added to a server environment to improve performance and reliability by distributing the workload across multiple servers. If one of the servers that is load balanced fails, the other servers will handle the incoming traffic until the failed server becomes healthy again. It can also be used to serve multiple applications through the same domain and port, by using a layer 7 (application layer) reverse proxy.
- An HTTP accelerator, or caching HTTP reverse proxy, can be used to reduce the time it takes to serve content to a user through a variety of techniques. The main technique employed with an HTTP accelerator is caching responses from a web or application server in memory, so future requests for the same content can be served quickly, with less unnecessary interaction with the web or application servers.
- You shall configure public IP addressing only in the proxy zone, private addressing elsewhere. Server outside proxy zone shall not have a public IP, NAT, or a default route to the internet.
- As you will need to comply with PCI-DSS requirements also, you shall ensure that you have firewall at each internet connection and between DMZ, HSZ and other internal networks.
- To improve performance of a database system that performs many reads compared to writes, such as a CMS, is to use master-slave database replication. Master-slave replication requires a master and one or more slave nodes. In this setup, all updates are sent to the master node and reads can be distributed across all nodes.