##// END OF EJS Templates
env-variables: make it safer if there's a syntax problem inside .ini file....
env-variables: make it safer if there's a syntax problem inside .ini file. It's better to not crash, since it means server wont start. Let users fix problems instead of breaking the startup because of that.

File last commit:

r2635:1a07b261 default
r3237:5cf82ecc default
Show More
sec-sophos-umc.rst
100 lines | 3.2 KiB | text/x-rst | RstLexer
/ docs / admin / sec-sophos-umc.rst
docs: fixed some build errors
r2635 .. _sec-sophos-umc:
docs: added sophos utm9 example config
r2428
Securing Your Server via Sophos UTM 9
-------------------------------------
Below is an example configuration for Sophos UTM 9 Webserver Protection::
Sophos UTM 9 Webserver Protection
Web Application Firewall based on apache2 modesecurity2
--------------------------------------------------
1. Firewall Profiles -> Firewall Profile
--------------------------------------------------
Name: RhodeCode (can be anything)
Mode: Reject
Hardening & Signing:
[ ] Static URL hardeninig
[ ] Form hardening
[x] Cookie Signing
Filtering:
[x] Block clients with bad reputation
[x] Common Threats Filter
[ ] Rigid Filtering
Skip Filter Rules:
960015
950120
981173
970901
960010
960032
960035
958291
970903
970003
Common Threat Filter Categories:
[x] Protocol violations
[x] Protocol anomalies
[x] Request limit
[x] HTTP policy
[x] Bad robots
[x] Generic attacks
[x] SQL injection attacks
[x] XSS attacks
[x] Tight security
[x] Trojans
[x] Outbound
Scanning:
[ ] Enable antivirus scanning
[ ] Block uploads by MIME type
--------------------------------------------------
2. Web Application Firewall -> Real Webservers
--------------------------------------------------
Name: RhodeCode (can be anything)
Host: Your RhodeCode-Server (UTM object)
Type: Encrypted (HTTPS)
Port: 443
--------------------------------------------------
3. Web Application Firewall -> Virual Webservers
--------------------------------------------------
Name: RhodeCode (can be anything)
Interface: WAN (your WAN interface)
Type: Encrypted (HTTPS) & redirect
Certificate: Wildcard or matching domain certificate
Domains (in case of Wildcard certificate):
rhodecode.yourcompany.com (match your DNS configuration)
gist.yourcompany.com (match your DNS & RhodeCode configuration)
Real Webservers for path '/':
[x] RhodeCode (created in step 2)
Firewall: RhodeCode (created in step 1)
--------------------------------------------------
4. Firewall Profiles -> Exceptions
--------------------------------------------------
Name: RhodeCode exceptions (can be anything)
Skip these checks:
[ ] Cookie signing
[ ] Static URL Hardening
[ ] Form hardening
[x] Antivirus scanning
[x] True file type control
[ ] Block clients with bad reputation
Skip these categories:
[ ] Protocol violations
[x] Protocol anomalies
[x] Request limits
[ ] HTTP policy
[ ] Bad robots
[ ] Generic attacks
[ ] SQL injection attacks
[ ] XSS attacks
[ ] Tight security
[ ] Trojans
[x] Outbound
Virtual Webservers:
[x] RhodeCode (created in step 3)
For All Requests:
Web requests matching this pattern:
/_channelstream/ws
/Repository1/*
/Repository2/*
/Repository3/*