Proxy firewalls

Taking advantage of a really great promotional deal, I now have two Evorack VPSes which are together costing me just a little bit less than I used to be paying for just one. My plan when I got the second server was to start handling web serving and mail serving from separate machines, to improve the security and reliability of each. Up until now I had been using lighttpd as a webserver, because I appreciate its small, simple and fast nature. However, with the prospect of having a machine dedicated to web serving I started to consider using the famous and behemoth Apache. My main motivation is considering this was to take advantage of some of the really nice security modules available for security, such as mod_security and mod_evasive. This idea didn't really last too long, though, because even with some tweaking for a low memory system, I just couldn't get Apache to perform acceptably. I don't exactly need massive throughput, but testing my website on lighttpd and Apache using siege was just embarrassing for Apache. In addition to being much slower, beyond about 10 concurrent users Apache just completely melted down, whereas lighttpd handled 50 without much difficulty. There are things in the lighttpd universe that approximate mod_security and mod_evasive, but they are nowhere near as capable out-of-the-box of their Apache equivalents.

At this point I started to get quite frustrated about just how stupid it is implementing this sort of functionality in web server specific modules. Apache, lighttpd and nginx all have, for example, modules designed to limit the number of simultaneous connections from a single IP and/or the number of connections per unit time. That's exactly the same problem solved three times over, which makes no sense at all given that it is a problem that is totally independent of the internal architecture of each server. The Obviously Right Thing to do in this case is to have some sort of small and lightweight reverse proxy performing this kind of filtering and forwarding good requests onto the sysadmin's webserver of choice. Such a proxy would work exactly the same for all possible webservers, reducing the duplication of effort and giving people more freedom of choice. The benefits are even more obvious for mod_security. Look at the OWASP Core Rule Set project for mod_security. This is a huge project which takes a lot of effort to maintain, and it is 100% useless for people who aren't using Apache. Now, you could in principle use Apache as just the sort of security reverse proxy I'm talking about, but this is kind of counter-productive if you want to use lighttpd or nginx because they're smaller and faster. If there was a server ind pendent security proxy, the OWASP folks could write rules for that and everybody would benefit.

Completely by chance, a few days after I had these thoughts I was reading Marcus Ranum's website and ran across this article which talks about "proxy firewalls". It turns out that these are basically exactly the kind of thing that I was talking about above, and are apparently a very old idea. This really amazed me, because in all of the reading on computer security I have ever done I have literally never heard the term "firewall" used to describe software which does anything other than filter out packets based on things like port number, source and target address, whether they are TCP or UDP etc. I had heard of buzz words like "deep packet inspection", but I thought this was a relatively recent idea. Even more amazing is that if you google for things like "open source" "http proxy firewall" you get amazingly little results. You can configure Squid to do some of this stuff, but it's not really the project's main focus. I'm really surprised that there are apparently little to no open source projects out there which are basically a stand-alone mod_security implemented as a proxy. Something that could easily put basic (D)DoS/brute-force protection like mod_evasive and basic SQL injection, XSS, etc. protection like mod_security in front of any web server you like feels like it would be a smash hit. Apparently the idea is decades old, so what's the hold up?