To minimize risks of Web server exploitation, use a pool of reverse proxies in DMZ to isolate services inside of the cloud that may be vulnerable to attacks when directly accessed from the Internet.
To set up a reverse proxy:
Install the latest vanilla Linux distribution (Ubuntu) with all security patches installed.
Install a minimal set of packages.
Note
Only web server components must be provided with the latest security updates. No cloud services should be exposed in DMZ.
Install Nginx as a lightweight reverse proxy server with a support of encryption and caching.
You can also use a reverse proxy as: