ApacheCon Europe 2012

Rhein-Neckar-Arena, Sinsheim, Germany

5–8 November 2012

Cloudy Fortress: Proxying for Security

Nick Kew

Audience level:
Web Infrastructure


This talk offers an introductory overview of two projects, both of which harness clusters of proxy caches running Apache TrafficServer in the cloud. Ironbee is a Web Application Firewall and successor to mod_security, while the Deflect project offers a free DoS-protection service to non-profit clients whose Free Speech could come under attack. Source for both projects is free and open.


Cloudy Fortress: Proxying for Security

Trafficserver is rapidly becoming a key player in web infrastructure, commonly in 'cloud' configurations where a distributed cluster of high-performance proxies serve as frontend for web servers and applications. In addition to its original role as cache/accelerator, it is increasingly serving to secure the backends against a range of attacks. This talk introduces two such projects: the web application firewall Ironbee, and the Deflect service.


Ironbee is an open source web application firewall (WAF), developed by a Qualys team headed by the former architects of mod_security. The core Ironbee product is a library, and in principle can be deployed with any server or proxy, provided only that it offers APIs to expose all HTTP Request and Response data to the firewall. Apache Trafficserver is the primary platform, and a Trafficserver plugin for Ironbee is actively developed and maintained.

Ironbee inspects incoming HTTP requests and responses, and in both cases may be configured to inspect headers, payloads, or both for patterns/characteristics that are suspect or forbidden. Suspect data will be logged, and can be rewritten to a safe pattern, or refused altogether causing an error to be returned to the Client. The configuration language enables sysops to build rules from all the usual HTTP request and Response fields, as well as free-form patterns.

In addition to a configuration language typical of a WAF, Ironbee provides C and C++ APIs to plug in extension modules. One such module supported in the core product is the Lua language.


The Deflect project is a non-profit organisation with minimal funding, providing a free service in support of Free Speech. Deflect users are typically non-profit websites whose critical views of authority or powerful interests put them at high risk of attack. Deflect's mission is to protect sites from Denial of Service attacks, by distributing the traffic over an array of trafficserver nodes with aggressive caching and additional protection such as fail2ban that will activate when under attack.

While deflect is primarily a service, it has also involved some software development. A plugin to rewrite cookie domains to enable cookie login through a reverse proxy has been developed, and will be contributed to the Trafficserver project. A download package is available for sysops to install and deploy new deflect nodes.