Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 44: Setting Up and Testing a Reverse Proxy for Web Application Security

by | Apr 30, 2025 | 0 comments

Objective

Configure a reverse proxy to enhance the security of a web application by handling SSL termination and request forwarding. Understand how reverse proxies help mitigate common web-based attacks like SQL injection and Cross-Site Scripting (XSS) by isolating the backend server.

Scenario

A company wants to secure its web application by implementing a reverse proxy. In this exercise, you’ll install and configure Nginx (or HAProxy) as a reverse proxy to secure communication and shield the backend web server. You’ll also test the setup and understand the security benefits.

⚠️ Important: Perform this exercise in a legal and controlled environment. Unauthorized modifications to web infrastructure are illegal and unethical.

Lab Instructions

Step 1: Set Up the Backend Web Server

a. Install Apache Web Server (Backend Server)

sudo apt update
sudo apt install apache2 -y

b. Verify the Apache Server is Running

sudo systemctl status apache2
  • Open a browser and navigate to http://<backend-ip> to confirm the server is accessible.

Step 2: Install and Configure Nginx as a Reverse Proxy

a. Install Nginx

sudo apt install nginx -y

b. Configure Nginx as a Reverse Proxy

  • Edit the default Nginx configuration:
sudo nano /etc/nginx/sites-available/default
  • Replace the content with the following:
server {
    listen 80;
    server_name yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
  • Explanation:
    • Requests to yourdomain.com are forwarded to the backend server at 127.0.0.1:8080.

c. Restart Nginx

sudo systemctl restart nginx

Step 3: Configure SSL Termination (Optional but Recommended)

a. Install SSL Certificates (Let’s Encrypt Example)

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com
  • Explanation: This sets up a free SSL certificate for encrypted communication.

b. Verify SSL Configuration

  • Access https://yourdomain.com and confirm the SSL certificate is active.

Step 4: Test the Reverse Proxy Setup

a. Access the Web Application via Nginx

  • Open a browser and navigate to http://yourdomain.com.
  • Expected Result: The web application should load correctly through the reverse proxy.

b. Check Logs for Traffic Routing

  • View Nginx logs to verify proxy traffic:
sudo tail -f /var/log/nginx/access.log

Step 5: Discuss Security Advantages of Reverse Proxies

  1. SSL Termination: Encrypts client-server communication, protecting data in transit.
  2. Backend Server Protection: Hides the backend server’s IP and structure from direct access.
  3. Web Application Firewall (WAF): Filters malicious requests (e.g., SQL injection, XSS).
  4. Rate Limiting and Load Balancing: Controls traffic flow and prevents overload.
  5. DDoS Mitigation: Absorbs and filters malicious traffic.

Solution & Explanation

What is a Reverse Proxy?

  • A reverse proxy acts as an intermediary between clients and backend servers. It forwards client requests to backend servers while masking their identity and adding security features.

Benefits Over Direct Access

  • Security: Protects the backend server from direct exposure.
  • Scalability: Distributes traffic across multiple backend servers.
  • SSL Offloading: Handles SSL encryption, reducing backend server load.
  • Caching: Stores responses to reduce load and improve performance.

Common Attack Mitigations

  • SQL Injection/XSS: Can be mitigated by implementing a WAF on the reverse proxy.
  • DDoS Attacks: Rate limiting and filtering reduce attack impact.
  • Port Scanning: Hides backend services, making scanning ineffective.

Testing & Verification

  1. Web Access Test: Confirm the web application works through the reverse proxy.
  2. SSL Verification: Ensure HTTPS works if SSL is configured.
  3. Backend Access: Direct access to the backend server should be blocked.

Check Open Ports

sudo netstat -tulnp | grep nginx

Security Best Practices

  1. Use SSL/TLS Encryption: Encrypt all client-server communications.
  2. Enable a Web Application Firewall (WAF): Filter malicious traffic.
  3. Limit Backend Access: Restrict backend access to internal or proxy-only networks.
  4. Regular Updates: Keep Nginx and backend servers updated.
  5. Implement Rate Limiting: Prevent abuse from excessive requests.

Additional Script (Optional)

Automate Reverse Proxy Configuration:

#!/bin/bash
# Automated Nginx Reverse Proxy Setup
sudo apt update
sudo apt install nginx -y
sudo bash -c 'cat > /etc/nginx/sites-available/default <<EOF
server {
    listen 80;
    server_name yourdomain.com;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host \$host;
        proxy_set_header X-Real-IP \$remote_addr;
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
    }
}
EOF'
sudo systemctl restart nginx
echo "Reverse Proxy Configured Successfully."

Run the script:

chmod +x setup_reverse_proxy.sh
sudo ./setup_reverse_proxy.sh

Conclusion

In this exercise, you configured Nginx as a reverse proxy to protect a web application. You implemented SSL termination, forwarded client requests securely, and learned how reverse proxies can mitigate attacks like SQL injection and XSS. Reverse proxies are a critical security layer for modern web infrastructure.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *