Apache Redirection from DMZ to LAN

Posted on 2005-04-23
Last Modified: 2011-10-03

i want to redirect some of the http connections coming from internet to our apache server located  in our DMZ to the app server - running under apache/php- located in our LAN. our firewall rules do not allow direct http connections from internet to our corporate LAN; I do not want to change these rules.

I found the below solution which seems to be responding to my expectations.

My query is;  would this solution cause security holes to the app server in LAN or even to the entire LAN  ??

Thank you

Question by:tgunduz
    LVL 51

    Accepted Solution

    > .. cause security holes to the app server in LAN ..
    this server in LAN then is subject to all web application security threats the same way as it would be in the DMZ
    you have to enshure that your web/application server and all their applications are hardend.
    The only advantage you have is that the servers ar protected on network level.

    > .. or even to the entire LAN
    depends on your OS and applications on the server
    If your applications are vulnerable to SQL and/or OS command injection, then your LAN could be compromised too.
    LVL 7

    Assisted Solution

    Realistically, the DMZ is there for a reason; any servers that are facing the outside world are in a protected segment, where they cannot reach internal servers.  You're talking about bridging that gap, effectively punching a hole in a security wall.

    Yes, you can do it, but take ahoffman's advice to heart.  If the internal LAN server is in any way vulnerable to HTTP-based attacks that are being forwarded, it can be leveraged against the rest of your LAN, depending on what the attack can achieve.  Generally speaking, it's best to leave such interaction to levels where the input is carefully controlled... e.g. querying an SQL database thru a specific account, such that the only data that could ever be compromised will not affect the rest of the operations on your LAN.

    Author Comment

    thank you guys !!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    ​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    11 Experts available now in Live!

    Get 1:1 Help Now