First, another option for a reverse proxy is squid:
http://wiki.squid-cache.org/SquidFaq/ReverseProxy
Second, assuming Apache web server is going to be used
only as a reverse proxy (and not serving web pages itself), there are a number of things you can do to lock it down.
Off the top of my head here are some suggestions:
Lock down default Directory permissions
Code:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
Other Directory stanzas can likely be removed altogether.
Ensure httpd is running as an unprivileged user
Example:
Code:
User apache
Group apache
This will of course need to be a service account on your system.
Disable loading of some potentially dangerous modules
Including:
- mod_userdir
- mod_info
- mod_status
- mod_include
- mod_dav* (unless acting as a webdav service)
Make easily retrievable server info a little quieter
Two directives:
Code:
ServerSignature Off
ServerTokens ProductOnly
-------
Those are just a few of the more obvious things. You might explore mod_security and its capabilities at some point.
Reverse proxies are very cool, because in addition to potentially offering better performance for the end user, they act as an "application firewall".