For maximum security should I use distributed mode or a reverse proxy setup?

Question

I have been working with ColdFusion for a long time. Something that has been seeded in my brain is that for maximum security you should physically separate the web server from the ColdFusion server. So I have always done this using what Adobe refers to as "distributed mode". IIS is on one server and ColdFusion is on a different server. They communicate via the web connector as usual, albeit over the network.

For several years now I have come across posts that mention using a reverse proxy is just as secure as running in distributed mode. With the reverse proxy setup, the web server and ColdFusion server are on the same physical machine but there is a proxy server that handles the requests and functions as the web server (basically). Still in my mind I see the physical separation as being more secure.

It is hard to find any definitive recommendation on the internet. Distributed mode is still mentioned even in the ColdFusion 11 documentation - For more information on the Web Server Configuration Tool, including information on multihoming and distributed usage, see the Configuring and Administering ColdFusion guide. (Although there is not really much information about it on that referenced page.) Both setups seem to be mentioned on various blogs and posts but I find it more common that people are using the reverse proxy setup rather than the distributed mode setup. Nothing concrete, just my perception as I have scoured the web. Running in distributed mode, with the web server and ColdFusion server on separate servers, definitely adds a layer of complexity when setting things up. Static files reside on the web server and the CFML files on the ColdFusion server. Etc. When you are using third party products this can be difficult to configure correctly.

So my question is, assuming everything else is equal, for maximum security do you use distributed mode or a reverse proxy setup? And some reasons why you do.

Unfortunately the ColdFusion lock down guides are confusing the matter. Here is what I have found.

In the ColdFusion 9 lock down guide (pages 14-15) it states:

You might also consider installing ColdFusion in distributed mode. This allows the web server to reside on a physically separate server from the ColdFusion server. You can also connect multiple web servers to a single ColdFusion server (this is called multihoming in the ColdFusion 9 documentation). This separation can provide additional security and should be considered in environments requiring maximum security. To install distributed mode, select the built-in web server option. For information about configuring distributed mode, see http://www.adobe.com/support/coldfusion/administration/cfmx_in_distributed_mode/cfmx_in_distributed_mode02.html. For details about multihoming, see http://help.adobe.com/en_US/ColdFusion/9.0/Admin/WSc3ff6d0ea77859461172e0811cbf364104-7fc3.html.

Another way to separate the public-facing web server and the ColdFusion server is by using a reverse proxy. In a reverse proxy setup, the ColdFusion server still has a web server installed, but all external client requests are handled by the proxy server, and certain requests are sent to the ColdFusion server for processing.

In the ColdFusion 10 lock down guide (page 27) that statement was trimmed down to this:

For maximum security consider running the web server and ColdFusion on separate physical servers. One way to separate the public facing web server and the ColdFusion server is by using a reverse proxy.

In a reverse proxy setup the ColdFusion server will still have a web server installed, however all external client requests will be handled by the proxy server, and only specific requests will be sent to the ColdFusion server for processing. Consult your web servers documentation to set up a reverse proxy.

And in the ColdFusion 11 lock down guide there is no mention of either. It seems like it should be on or around page 11 which is where the statements were located in the other docs along with running the web server configuration tool. I am very curious as to why Pete took this out of the latest document.

While I am using Adobe ColdFusion I have tagged this question with Railo as well for more input.

@MichaelHampton - I have sent him an email via his website, yes. No response yet. I am hoping that others will chime in here at least to share what they do. — Miguel-F, Mar 03 '15 at 14:17

score 2 · Accepted Answer · answered Mar 03 '15 at 16:03

2

You're confusing "distributed mode" (having the web server and CF server on separate boxes) as being mutually exclusive with using a reverse proxy. In reality, they are two separate concerns. A reverse proxy is simply an alternative to using the standard web connector. It simply causes your web server (IIS, Apache, Nginx) to redirect requests for CFML pages to an HTTP/HTTPS or AJP port on a given host/port on your CF box. You can configure a reverse proxy to proxy to localhost OR to any other server on your network as long as the appropriate ports are open.

Ex. You may enable the AJP listener in Tomcat on port 8009. Then on your Apache web server (which can be anywhere on your network) you reverse proxy requests for .cfm files to that port using the proxy_ajp module.

I've never personally dealt with distributed mode since there seems to be a much smaller number of attack vectors aimed at my web servers. But if you choose to use a "distributed mode", you can do so with the stock connector OR a reverse proxy. It's up to you.

answered Mar 03 '15 at 16:03

Brad Wood

180
1
7

Thanks Brad. Let me clarify a bit, I don't think I am confused with distributed mode versus reverse proxy in and of itself. What confuses me is that I hear (read) people say that a reverse proxy is just as secure as running distributed mode. I'm not sure it is. I would also say they are more attack vectors for an IIS web server than for a CF application server. Just guessing. How do you normally setup your environment(s)? – Miguel-F Mar 03 '15 at 18:29
I guess I've never heard anyone make that specific claim. Link? It also doesn't really make sense. That's like saying an American made car gets better gas milage than a V8 engine. It's not an OR, it's an AND. It's all about partitioning. If IIS/Apache has an exploit that allows a hacker to gain root access to the box, what else can they access? Let's also keep the answers specific to this question, your original is already bending SO's rules IMO. If you want more discussion on the matter, try a CF mailing list like the Lucee google group. – Brad Wood Mar 04 '15 at 00:23
Sorry I'm not trying to deviate from the original intent of my question. And I realize that there may not be a specific answer to it which may bend the rules of this site. I'm beginning to think that my understanding of the architecture in a reverse proxy setup is wrong. I don't have a specific link to point you to either but my perception is that hardly anyone runs ColdFusion in "distributed mode". I see more references to reverse proxy instead. If a reverse proxy is nothing more than a different web connector than I definitely misunderstood. – Miguel-F Mar 04 '15 at 13:49
No, I don't think, distributed mode is very common, though perhaps just because it's more work and requires more servers. You are correct that a reverse proxy is just an alternative way to "connect" your web and application server. I think reverse proxies seem very popular with Railo/Lucee users since they are most likely to use stock servlet container installs. If this answer was helpful, don't forget to mark it as accepted. – Brad Wood Mar 04 '15 at 18:15
Your answer is definitely helpful and I have up voted it for that reason. I have not accepted it yet in case someone else answers. If not, I will. Can you answer one more question. When you use a reverse proxy do you still have a web server installed on your ColdFusion server? Or do you setup the proxy to communicate directly to ColdFusion/Tomcat? Thanks for your help on this! – Miguel-F Mar 04 '15 at 18:28
You can do it either way. Technically, your servlet container (say, Tomcat) has a web server built in (Coyote). So a front end Nginx load balancer could proxy to a back-end Nginx instance sitting in front of CF, or directly to Tomcat's HTTP/AJP listener. – Brad Wood Mar 06 '15 at 03:55
I think I'm starting to understand it now. Thanks again for your help. – Miguel-F Mar 06 '15 at 12:57

score 1 · Answer 2 · answered Mar 03 '15 at 15:33

1

DISTRIBUTED mode or REVERSE PROXY setup would be providing mostly similar level of security but DISTRIBUTED mode would have additional HIGH AVAILABILITY & RELIABILITY server scenarios.

answered Mar 03 '15 at 15:33

Kaif Akbar

11
1

A reverse proxy can also have HA. For instance, Nginx can be configured to load balance between multiple back-end CF servers across a proxy. A reverse proxy itself provides no security, it's simply another way for the web server and CF server to talk to each other. The security in correctly-configured "distributed mode" comes from the fact that a compromised web server installation still has no direct access to the application code or databases. – Brad Wood Mar 03 '15 at 16:07
@BradWood - Your last comment nails it for me and is why I still believe distributed mode is more secure than a reverse proxy. If my web server is compromised they still don't have my application server assets. How would a reverse proxy alleviate this? – Miguel-F Mar 03 '15 at 18:32

For maximum security should I use distributed mode or a reverse proxy setup?

2 Answers2