##// END OF EJS Templates
pull-requests: add merge check that detects WIP marker in title. This will prevent merges in such case....
pull-requests: add merge check that detects WIP marker in title. This will prevent merges in such case. Usually WIP in title means unfinished task that needs still some work. This pattern is present in Gitlab/Github and is already quite common.

File last commit:

r2635:1a07b261 default
r4099:c12e69d0 default
Show More
sec-sophos-umc.rst
100 lines | 3.2 KiB | text/x-rst | RstLexer

Securing Your Server via Sophos UTM 9

Below is an example configuration for Sophos UTM 9 Webserver Protection:

Sophos UTM 9 Webserver Protection
Web Application Firewall based on apache2 modesecurity2
--------------------------------------------------
1. Firewall Profiles -> Firewall Profile
--------------------------------------------------
Name: RhodeCode (can be anything)
Mode: Reject
Hardening & Signing:
    [ ] Static URL hardeninig
    [ ] Form hardening
    [x] Cookie Signing
Filtering:
    [x] Block clients with bad reputation
    [x] Common Threats Filter
    [ ] Rigid Filtering
        Skip Filter Rules:
            960015
            950120
            981173
            970901
            960010
            960032
            960035
            958291
            970903
            970003
Common Threat Filter Categories:
    [x] Protocol violations
    [x] Protocol anomalies
    [x] Request limit
    [x] HTTP policy
    [x] Bad robots
    [x] Generic attacks
    [x] SQL injection attacks
    [x] XSS attacks
    [x] Tight security
    [x] Trojans
    [x] Outbound
Scanning:
    [ ] Enable antivirus scanning
    [ ] Block uploads by MIME type
--------------------------------------------------
2. Web Application Firewall -> Real Webservers
--------------------------------------------------
Name: RhodeCode (can be anything)
Host: Your RhodeCode-Server (UTM object)
Type: Encrypted (HTTPS)
Port: 443
--------------------------------------------------
3. Web Application Firewall -> Virual Webservers
--------------------------------------------------
Name: RhodeCode (can be anything)
Interface: WAN (your WAN interface)
Type: Encrypted (HTTPS) & redirect
Certificate: Wildcard or matching domain certificate
    Domains (in case of Wildcard certificate):
        rhodecode.yourcompany.com (match your DNS configuration)
        gist.yourcompany.com (match your DNS & RhodeCode configuration)
Real Webservers for path '/':
    [x] RhodeCode (created in step 2)
Firewall: RhodeCode (created in step 1)
--------------------------------------------------
4. Firewall Profiles -> Exceptions
--------------------------------------------------
Name: RhodeCode exceptions (can be anything)
Skip these checks:
    [ ] Cookie signing
    [ ] Static URL Hardening
    [ ] Form hardening
    [x] Antivirus scanning
    [x] True file type control
    [ ] Block clients with bad reputation
Skip these categories:
    [ ] Protocol violations
    [x] Protocol anomalies
    [x] Request limits
    [ ] HTTP policy
    [ ] Bad robots
    [ ] Generic attacks
    [ ] SQL injection attacks
    [ ] XSS attacks
    [ ] Tight security
    [ ] Trojans
    [x] Outbound
Virtual Webservers:
    [x] RhodeCode (created in step 3)
For All Requests:
    Web requests matching this pattern:
        /_channelstream/ws
        /Repository1/*
        /Repository2/*
        /Repository3/*