Can a Reverse Proxy be used instead of port filtering?
I want to limit access from the Internet to my Web server but the clients will have a dynamic IP address so the best I can do is to whitelist all addresses belonging to that specific mobile carrier which still leaves the system open to too many users.
Functionality can be denied by use of a reverse proxy (I'm using HAProxy on pfSense) so that if the request doesn't match an ACL, it gets rejected. This still lets the attacker communicate with HAProxy end eventually exploit a vulnerability.
I know I can configure HAProxy to not provide a HTTP error code in case of failure, but is this enough?
From my understanding the proxy's TCP port would still be open to everyone. Portscan systems would not get an HTTP code back but at transport level they would see an open port, am I right?
What else can I do, considering that pfSense does not natively support deep packet inspection?
Can ntop, Snort or Suricata help?
My goal is to not show an open port to port scans from the Internet, is this achievable without IP filtering?
