firewalls and FastCGI apps

Mark Brown (mbrown@OpenMarket.com)
Mon, 29 Jul 1996 16:14:01 -0400

Message-Id: <199607292014.QAA07353@breckenridge.openmarket.com>
To: fastcgi-developers@OpenMarket.com
Subject: firewalls and FastCGI apps
Date: Mon, 29 Jul 1996 16:14:01 -0400
From: Mark Brown <mbrown@OpenMarket.com>


I've recently gotten some email asking about how to
run FastCGI through a firewall.  I've reproduced my 
response below (indented text is from the questioner).

    --mark

------- Forwarded Message

    My understanding is that the basic mechanism is to have a process
    on the outside of the firewall "talk" to process on the inside of
    the firewall via TCP/IP.  The process on the inside of the
    firewall then retrieves information from the database and returns
    that information to the process on the outside of the firewall
    for display to the browser.

Yes.  The process on the outside of the firewall is part of a Web
server.  The process on the inside of the firewall is a FastCGI
application server, most likely part of a server class containing
several processes (if the load is too great to be handled by a single
process.)

It is important to prevent bad guys from connecting to the FastCGI
application server.  The only authentication mechanism available to
the FastCGI application server is IP address validation.  Therefore it
is important that the Web server sitting outside the firewall should
itself sit behind an address filter that prevents impersonation of the
Web server's IP address.  Most routers support such address filtering,
which is quite inexpensive compared with an application-level gateway.

    Via what port on the firewall do processes "talk" to each other?

The choice of port (ports in case of a server class containing more
than one process) is a configuration option.

    Is is via http on port 80? Something else?

The communication does not use http, it uses the FastCGI protocol.
Port 80 could be used, but would be an unusual/confusing choice.

    If it is something else, are there any any firewall vendors writing a 
    proxy server for this?

Essentially all firewalls have a circuit-level gateway capability.
That is, they can be configured to pass through a TCP stream from a
specified address to a specfied address/port, without examining the
bytes of the stream.  This is how SSL "proxys" have to work, since the
stream is encrypted.  FastCGI can be done the same way.

I'm not aware of any firewall vendors building an application-level
proxy for the FastCGI protocol.

   --mark

------- End of Forwarded Message