The Web Redirector

This page is under construction

A Web Application Firewall (WAF) is an appliance or software that provides customized protection for web applications against attacks. A Reverse Proxy is a server that routes all connections coming from the Internet addressed to one Web server. Reverse proxies can deal with the request itself or pass the request wholly or partially to the main web servers.

The Web Redirector is a reverse proxy developed by CERN IT/ES for the WLCG experiments. It is used in front of other Web services to act as a web application firewall. The Web Redirector attempts the mitigation of potential threats coming from the underlying network, managed and unmanaged clients and hosts, potential untrustworthy users.
All connections coming from the Internet addressed to one of the experiment Web servers are routed through the Web Redirector. The Web Redirector filters the requests before redirecting them to the real web server serving the request. The filters applied can be of many kinds: authorization filters, cross-scripting attack checking, etc.
Besides acting as a WAF, the Web Redirector offers as well the possibility of providing customizable load balancing algorithms for the web applications running behind it. It can also act as a web cache.

The web redirector offers the following features through well established technologies:
  • WAF through the Apache ModSecurity module.
  • SSL based authentication. The CERN Single Sign On (SSO) Shibbolethservice is used for this purpose.
  • Load distribution. Requests can be served by several ATLAS/CMS/LHCB web servers, each serving the same or its own application. Load distribution is achieved through the mod_proxy_balancer.
  • Caching support. The reverse proxy can offload the web servers behind it by caching static content through the Apache mod_cacheand the frontier-squidserver.
  • Support for special configurations: AJPprotocol for Tomcat-based applications, customized redirection through rewrite rules; session-aware forwarding; kerberos-aware sessions.
  • Hardware sparing by supporting virtualization.
  • Web analytics through awstatsand webalizer.

The Web Redirector runs on experiment VOBOXes. The required operating system under which the Web redirector runs is SLC5.
The Web Redirector is compliant with the recommendations of the CERN Security Team.

Configuration

In this installation document we provide instructions to VOCs on the steps to follow to install and configure a Web Redirector Service on a VOBOX.

Configuration of a web service

In this service installation document we provide the instructions to install and configure a web service running on the same machine where the Web Redirector runs.

Documentation

-- FlaviaDonno - 04-Jun-2010

Edit | Attach | Watch | Print version | History: r6 < r5 < r4 < r3 < r2 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r6 - 2010-12-03 - FlaviaDonno
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LCG All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright & 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback