I am working on installing a Drupal site that allows users to store and display files (.doc, .pdf, .xls, etc) files at a high end secure data center with DMZs and the like. The customer's data center doesn't allow them to have web applications that store flat files on the front end web server machine.
They are accustomed to having web applications that store these binary files directly into their database (i.e. sharepoint) using ISA. We have already suggested that they have an NFS mount or a Samba share between the front end server and the protected server behind the DMZ, but this doesn't satisfy security requirements to have these ports open across the DMZ. They are allowed to have a MySQL port (3306) open to keep the database behind the DMZ.
I'm wondering if anyone else has encountered something like this problem and found a good work around. Or, do you have any ideas about how to protect the flat files behind the DMZ? I have also suggested that we just put a proxy up on the front end server and keep the entire Drupal installation on the back end, we may end up going with this but I'm not sure if this will meet their security requirements. Is there a specific proxy server that would work best for this?
Are there any ways that we can show that it is safe to keep the flat files on the front end server if Drupal is running ? We are already using private files and keeping the directory path for these files outside of the drupal install path.