2

I have a CppCMS based application and I cant use IIS's FastCGI connector as it is broken for my use thus I want to try to use the internal HTTP server designed for debug purposes behind IIS.

I it is quite simple web server for an application that handles basic HTTP/1.0 requests and does not care too much about security like DoS, file serving and more.

So I'd like to know if it is possible to use IIS in front of such application such that it would:

  • Sanitize all requests - ensure that they are proper HTTP
  • Handle all DoS issues like timeouts
  • Serve the static files.

Is this something that can be configured and done at all?

Artyom
  • 31,019
  • 21
  • 127
  • 215

3 Answers3

0

ModSecurity is out for IIS now, it can handle lots of the security related issues.

Wyatt Barnett
  • 15,573
  • 3
  • 34
  • 53
0

I would suggest this is the wrong way of doing this. I would use a web server like Nginx to proxy the requests through to backend server. It is very configurable and you will find a lot of articles with doing it to Apache.

Lee Armstrong
  • 11,420
  • 15
  • 74
  • 122
  • 1
    I hadn't asked about the Nginx or Apache, I know how to do it. I'm talking about IIS and only IIS. – Artyom Aug 21 '11 at 07:20
  • I think you can only do with IIS7.0 or greater. http://blogs.iis.net/carlosag/archive/2010/04/01/setting-up-a-reverse-proxy-using-iis-url-rewrite-and-arr.aspx – Lee Armstrong Aug 21 '11 at 08:25
  • I know that IIS 7 supports reverse proxy, I want to know if it is possible to make it secure/sanitizing proxy. – Artyom Aug 21 '11 at 10:38
  • Not really the job of a web server is it?!? More the job of an HTTP proxy on a firewall. Cisco, Juniper and Watchguards all offer this sort of feature. – Lee Armstrong Aug 21 '11 at 11:40
  • 1
    Well it's IIS so no, it's not possible to do it securely. –  Aug 24 '11 at 14:30
0

We just did something like this. You want the URL Rewriter module. You can use it to sanitize the URLs, however, it isn't going to sanitize the payload. Which is to say, you can make sure that the URLs that hit your box are very specific ones, e.g. not attempts to hits CGI, but you can't use it to make sure that the contents of an upload are safe.

jamie
  • 2,963
  • 1
  • 26
  • 27