Chapter 9. Infrastructure

In this chapter, we take a step back from a single Apache server to discuss the infrastructure and the architecture of the system as a whole. Topics include:

• Application isolation strategies

• Host security

• Network security

• Use of a reverse proxy, including use of web application firewalls

• Network design

We want to make each element of the infrastructure as secure as it can be and design it to work securely as if the others did not exist. We must do the following:

• Do everything to keep attackers out.

• Design the system to minimize the damage of break in.

• Detect compromises as they occur.

Some sections of this chapter (the ones on host security and network security) discuss issues that not only relate to Apache, but also could be applied to running any service. I will mention them briefly so you know you need to take care of them. If you wish to explore these other issues, I recommend of the following books:

• Practical Unix & Internet Security by Simson Garfinkel, Gene Spafford, and Alan Schwartz (O'Reilly)

• Internet Site Security by Erik Schetina, Ken Green, and Jacob Carlson (Addison-Wesley)

• Linux Server Security by Michael D. Bauer (O'Reilly)

• Network Security Hacks by Andrew Lockhart (O'Reilly)

Network Security Hacks is particularly useful because it is concise and allows you to find an answer quickly. If you need to do something, you look up the hack in the table of contents, and a couple of pages later you have the problem solved.