Reverse proxy for DoS / DDoS protection

Question

after i search how to protect my website host server using GRE tunnels, some friends of this forum give me a tip to use Reverse Proxy that would be better.

But i don't found any guide on how to Reverse Proxy, many guides teach only install Nginxs but nothing much directed to that i need.

I have in my mind, the following working scheme:

Attacks + Users --> My Cloud with DoS / DDoS Mitigation + Reverse Proxy --> My Dedicated Server with WHM/cPanel.

All traffic must pass through the reverse proxy that exists in the cloud.

It is possible?

Regards.

Answer 1

It sure is possible, and you have more than one choices as usual.

You can proxy the TCP connection (Layer 4), this is expecially useful when you are terminating SSL connections at your webserver so your proxy cant decrypt the traffic.

Pros:

• Less work for the proxy

Cons:

• Less flexible, fewer knobs for example if you want to do loadbalancing too

You can proxy in HTTP with eventual SSL temination on the proxy machine. Pros:

• You can do additional security checks at the application layer and have much more control, ex. you can use nginx/apache + mod_security, manage load balancing if you have more than one webserver (origin server), add a caching layer

Cons:

• The proxy doing more will have a higher load, but considering this load is taken from the existing webserver's one so you're effectively moving it
• The configuration will be more involved.

As for what tools to use, the one that I'm familiar with are:

Both TCP and HTTP(s) Proxies:

• HAProxy
• Nginx

HTTP Only:

• Varnish - can do caching but no HTTPS termination
• Apache

Hope this helps.