waf before revers proxy

should i take the reverse proxy before the waf or behind it ?
i didn't use the waf as reverse proxy.
Amin El-ZeinAsked:
Who is Participating?
nociConnect With a Mentor Software EngineerCommented:
Ow that depends on network layout.....
If the WAF+Reverse proxy are in a DMZ no....

Default gateway belongs to the network toplogy.... for this chain to work people enter the system from outside, and meet the reverse proxy,
the reverse proxy handles the connection, decrypts SSL,  and dispatches to some backend, in your case the ipaddress of the WAF, the WAF on its turn should connect validated request through to a webserver (farm?).... and when the connection is established there will be an automatic flow back for valid connections.  
All those transaction take place on Level 7 in the OSI stack  [ application layer ].

Default Gateway is associated with IP routing which is Level 3 in the OSI Stack. [ Routing Layer ].
So if your WAF is ALSO an IP router then the default gateway can point there.  But it is a function of being an IP router.
nociSoftware EngineerCommented:
Assuming that the reverse proxy also is responsible for for decrypting SSL links the WAF should be behind the reverse proxy.
A WAF should be able to act on all data in the stream, which is hard to do on encrypted links.
Reverse proxies are mostly not meant to be used as caches like the "straight" proxies, they are used to distribute the work (Load balance, failover handling ..)
Amin El-ZeinAuthor Commented:
so the default gateway for web server will be the waf device right ?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.