
Secure Access to Liferay through RProxyDMZ
This page has been moved here from the Main wiki because it is, in fact a proposal.
Descriptions#
RProxy/DMZ#
Putting a Liferay-Portal directly on the Internet gives attackers direct access to any vulnerabilities of the underlying platform (application, web server, libraries, operating system). However, to provide a useful service to Internet users, access to your portal-server is required. A packet filter firewall shields your portal-server from attacks on the network level. In addition a Protection Reverse Proxy protects the portal-server software on the level of the application protocol.
Security is not the only reason why a ReverseProxy is useful. A ReververseProxy can be used as a common entry Point for different backend-systems (Integration-Proxy) and/or as a FrontDoor for sigle sign on and access control.
Graphic #
This shows a RProxy with a 1:1 URL-Mapping. You could do very complicated URL-Mappings too, but for security- and performance-reason its always a good idea to keep RProxy configs it as simple as possible.
Requirements/Objectives#
<discuss the requirements and objectives>
Discussion of Design/Implementation Approach#
<discuss the design/implementation approach>
ToDo decription of solution using mod_jk
ToDO decription of solution using pound
Comments #
This sort of functionality should be implemented in the caching portion of Liferay, IMHO. Allowing the installation of the Caching/Proxy server on multiple machines, particularly if they can be geographically distributed (ala Akami) really goes a long way toward reaching for that N-tiered application.
Lisa Simpson | Posted on 10/6/09 10:23 AM