简体繁体 English

在DMZ上使用IIS

[英]Working with IIS on DMZ

原文 2017-09-13 12:47:14 6 1 asp.net/ sql-server/ iis/ architecture/ dmz

Scenario 情境

I have an application that I have been developing for two years. 我有一个已经开发了两年的应用程序。 I use the framework .NET to develop it in a language called Oxygene that comes from Pascal. 我使用.NET框架以Pascal的Oxygene语言开发它。 When I have something new in my code, I publish my application in File System method. 当我的代码中有新内容时，我将以文件系统方法发布应用程序。 I have a couple servers working on Amazon EC2, so I transfer this files to a folder in my IIS Server. 我在Amazon EC2上有几个服务器，因此我将此文件传输到IIS服务器中的文件夹中。 In this IIS Server I already have a website that corresponds to my application, so I just replace the old files for the newest files. 在此IIS服务器中，我已经有一个与我的应用程序相对应的网站，因此我只是将旧文件替换为最新文件。 I have another server that works as an SQL server. 我有另一台充当SQL服务器的服务器。 Last detail is that in my application the user is able to attach files, import pictures, export PDF and Excel files. 最后一个细节是，在我的应用程序中，用户可以附加文件，导入图片，导出PDF和Excel文件。 Attachments and pictures are stored in the same folder the application is located. 附件和图片存储在应用程序所在的文件夹中。

Issue 问题

Here is my problem. 这是我的问题。 I have got a new client that is kind of a big client. 我有一个很大的新客户。 It seems like this company has a strong IT security, so the application must be located in their servers. 该公司似乎具有强大的IT安全性，因此应用程序必须位于其服务器中。 The big problem is that they required my application to be set in the following architecture: 最大的问题是他们要求将我的应用程序设置为以下体系结构：

I am used to only use an app server (works for external access) and a SQL server. 我曾经只使用应用程序服务器（可用于外部访问）和SQL Server。 They want the third server in DMZ net so they can let external access happen. 他们想要DMZ网络中的第三台服务器，以便可以进行外部访问。 The reason the application can't be placed in the DMZ is because there are the files I mentioned bellow that the user stores in the application. 无法将应用程序放置在DMZ中的原因是因为下面提到的文件是用户存储在应用程序中的文件。 The database stores all the data, but not those files mentioned. 数据库存储所有数据，但不存储提到的那些文件。

Solutions I have offered, but won't be accepted: 我提供的解决方案，但不会被接受：

Publishing the application in a IIS server located in the DMZ: That won't be accepted since my application stores user attachments in the same folder the application is located. 在DMZ中的IIS服务器中发布应用程序： 由于我的应用程序将用户附件存储在应用程序所在的同一文件夹中，因此不会被接受。 There are also images stored there. 也有图像存储在那里。
Publishing the application in the app server, but also publishing a empty application in the DMZ server redirecting to the IIS server inside the LAN: That's the best solution I have come up. 在应用服务器中发布该应用程序，但还在DMZ服务器中发布一个空的应用程序，重定向到LAN内的IIS服务器： 这是我提出的最佳解决方案。
Using a reverse proxy to protect the LAN Net: This is off the table, since reverse proxy is not safe at all. 使用反向代理保护LAN Net： 这是不可行的，因为反向代理根本不安全。

I am kind of confused because I can't see a way to separate my application in two to make it work in that suggested architecture. 我有点困惑，因为我看不到将应用程序一分为二以使其在建议的体系结构中工作的方法。

Can anybody give me a hint or ideas of how this would work? 有人能给我提示或想法吗？

1 个解决方案

You can't "redirect" to inside the LAN, a redirect is a client-side operation, so if the internal server isn't already exposed, you can't redirect someone to it. 您不能“重定向”到LAN内部，重定向是一种客户端操作，因此，如果内部服务器尚未公开，则无法将某人重定向到它。

A reverse proxy is likely your best bet. 反向代理可能是您最好的选择。 Why do you believe it is not safe? 您为什么认为它不安全？ This is a tried-and-true solution, it allows you to leave additional ports/services open to internal requests (like a file server, which it sounds like you are trying to expose). 这是一个久经考验的解决方案，它允许您将其他端口/服务留给内部请求（例如文件服务器， 听起来像是在尝试公开），以供内部请求使用。

How are these files getting uploaded? 这些文件如何上传？ Are you using FTP? 您在使用FTP吗？ SMB? 中小型企业？ HTTP? HTTP？ This solution will not expose those other protocols to the outside world (please don't expose SMB to the outside, it will result in tragedy). 此解决方案不会将其他协议暴露给外界（请不要将SMB暴露给外界，否则将导致悲剧）。 Do the external users need to upload these files? 外部用户需要上传这些文件吗？