Yup, though I'm unclear on where the web server fits into the picture. You say that your script "does not reside on the web server," but then say that FW2 only allows http and https to pass through. Does that mean that the web server is on M1, or on separate box?

With the caveat that I'm not an expert, this sounds like a pretty solid scheme, as long as you're keeping up with vendor patches for the web server (and firewall vendor patches for the firewall).