Solution Overview

The goal of ProxyPass is, quite simply, to protect members-area websites against brute-force password cracking attempts, password violations, and bandwidth spikes. ProxyPass performs these functions so well, in fact, that our customers experience the following benefits:

• decreased server loads, bandwidth, and downtime
• decreased sysadmin labor time and server TCO
• decreased stolen content and compromised passwords
• increased system performance and member satisfaction

Architecture

ProxyPass is a highly optimized C module that armors the authentication and authorization routines of an Apache server. The software supports both multiple virtualhosts on a single server and clustered domains that are load-balanced across many machines. ProxyPass is broadly customizable with an easy-to-use and finely-scopable directive syntax that conforms to the Apache config standards. This allows an administrator total control over detection thresholds and denial behavior. And, of course, ProxyPass detects and defends single servers and load-balanced clusters against the following:

• cracking attacks tunneled through open proxies and drones
• cracking attacks from single-source or distributed networks of non-proxy IPs
• compromised accounts used by too many people, across too many IP subnets or countries
• site scraping by rapidly downloading all protected content

Key Features

With each successive ProxyPass release, our developers work closely with customers to provide them new, widely-desired features without sacrificing the underlying fundamentals of rock-solid stability and minimal client performance impact. To showcase just a few favorites from a rich feature set, please consider the following:

Nominal Performance Impact: Rigorous testing and real-world deployments have shown the memory, CPU, and bandwidth requirements of ProxyPass will -not- adversely impact your system. The ProxyPass client module uses an extremely fast, C architecture that is completely resident and configurable on your servers. It is not a "hosted" script, nor dependent on network transactions with our centralized servers to operate correctly. This ensures a robust defense, and a fast surfing experience for your members. In fact, during strenuous, real-world attacks, ProxyPass outperforms competitive products over 10x. For some customers, ProxyPass has decreased the system load averages under heavy attack nearly 50x.

"Intelligent" Proxy & Drone Defense: Using our custom "Secure Level" approach, administrators have fine-grained control over the handling of open proxies and drones (see FAQ). Options include: immediate denial, selective denial based on behavior thresholds, and selective denial if the system is in a pre-defined, "under-attack" state. And by sharing in our large, up-to-date database of information about abused proxies and drones, ProxyPass clients gain the proactive benefits of finding out about problem IPs that have attacked others before they become a problem.

HTML Form & CAPTCHA Logins: ProxyPass natively includes features for HTML form-based logins, while remaining fully compliant with Apache authentication standards. This can replace the traditional popup dialog box with a "skinnable" login form that includes an optional "captcha" input. Native captchas and Google's reCAPTCHA are both supported. And unlike competitive products, ProxyPass' captcha functions do -not- require additional scripts or changes to your members area links, authentication framework or members management system. ProxyPass is always fully compatible with standard authentication features such as multiple authentication realms per domain or authorization groups. And although captcha-type challenge systems are not foolproof (see FAQ), they provide an additional tool in the ProxyPass arsenal when defending against brute-force attacks.

Full CDN Compatibility: ProxyPass is fully compatible with caching delivery networks (i.e. StackPath, Cloudfront, Edgecast) whether using username/password or time-sensitive token security.

Enterprise-Class Clustering: For Apache clusters serving up load-balanced domains, ProxyPass has an immediate advantage over competitive products: it can quickly propagate threshold and block information across all nodes. Without it, websites experience "partial-denial" problems: a block exists on only part of the cluster while unnecessary effort is wasted to detect attacks on each node. The ProxyPass reporting toolprovides a "cluster-wide" perspective (i.e. block info, search capability) from any single node. For our larger clients, this feature greatly reduces management overhead and complexity.

System Requirements

The ProxyPass module requires a UNIX-based, Apache server configured with dynamic shared object support (i.e. DSO, mod_so.c). ProxyPass is compatible with all Apache 2.x versions, and a beta module is available for NGINX servers. ProxyPass has been deployed successfully on many UNIX variants (i.e. Linux, FreeBSD, Solaris, MacOSX) in both 32bit and 64bit flavors. The module is not currently available for WIN32 versions of Apache. Of course, ProxyPass also requires money.