Security doubt about Varnish and firewall.

[DHF]

andan andan wrote:
> We have a security doubt: Should we install Varnish inside or outside
> firewall?

I run varnish on a many linux boxes with Netfilter default log and drop
rules and have not seen a performance problem.

> For better performance, we consider that the best choice is outside,
> but for
> obvious security reasons, the better is putting it into a DMZ.

This depends on your particular environment.  What kind of hardware are
you using?  What kind of firewall is it?  How much traffic can the
firewall handle?  How much traffic do you usually see to the backend
server?  Where is the backend server located?  What is your reason for
using a reverse proxy?  What is the expected hit ratio on the cache? 
What kind of content are you delivering?  Do you have any network
operations tasks that require you to collect data from the server in a
fashion that requires it to be behind the firewall?

If the backend server is through the firewall, it could be beneficial to
have your varnish box outside the firewall and you could restrict access
to the backend server to only the varnish servers ip or an internal ip
on a seperate network.  Then run iptables or ipfw on the varnish server
itself

> Any suggestions? Somebody has Varnish outside the firewall?

I have found no reason to not use ipfw or iptables on deployed servers,
the benefit in my opinion out weighs the performance loss.  With a
minimal ruleset the performance impact is so small its hard to measure
until you reach huge packets per second, or connections a second (
assuming your hardware isn't a few years away from collecting a pension
).  I have never seen a production box reach the limits of iptables
packets per second because whatever process is on the box ( apache,
varnish, squid, mysql, etc ) will have long ago melted down into a pile
of smoldering ruin, due to high load and iptables performance becomes
irrelevant.

--Dave