##// END OF EJS Templates
settings: reduce number of settings fetch since it uses locking for cache invalidation and is generally slow....
settings: reduce number of settings fetch since it uses locking for cache invalidation and is generally slow. We anyway load it per-request so we can re-use this.

File last commit:

r2635:1a07b261 default
r3855:e1ec64bd default
Show More
sec-sophos-umc.rst
100 lines | 3.2 KiB | text/x-rst | RstLexer

Securing Your Server via Sophos UTM 9

Below is an example configuration for Sophos UTM 9 Webserver Protection:

Sophos UTM 9 Webserver Protection
Web Application Firewall based on apache2 modesecurity2
--------------------------------------------------
1. Firewall Profiles -> Firewall Profile
--------------------------------------------------
Name: RhodeCode (can be anything)
Mode: Reject
Hardening & Signing:
    [ ] Static URL hardeninig
    [ ] Form hardening
    [x] Cookie Signing
Filtering:
    [x] Block clients with bad reputation
    [x] Common Threats Filter
    [ ] Rigid Filtering
        Skip Filter Rules:
            960015
            950120
            981173
            970901
            960010
            960032
            960035
            958291
            970903
            970003
Common Threat Filter Categories:
    [x] Protocol violations
    [x] Protocol anomalies
    [x] Request limit
    [x] HTTP policy
    [x] Bad robots
    [x] Generic attacks
    [x] SQL injection attacks
    [x] XSS attacks
    [x] Tight security
    [x] Trojans
    [x] Outbound
Scanning:
    [ ] Enable antivirus scanning
    [ ] Block uploads by MIME type
--------------------------------------------------
2. Web Application Firewall -> Real Webservers
--------------------------------------------------
Name: RhodeCode (can be anything)
Host: Your RhodeCode-Server (UTM object)
Type: Encrypted (HTTPS)
Port: 443
--------------------------------------------------
3. Web Application Firewall -> Virual Webservers
--------------------------------------------------
Name: RhodeCode (can be anything)
Interface: WAN (your WAN interface)
Type: Encrypted (HTTPS) & redirect
Certificate: Wildcard or matching domain certificate
    Domains (in case of Wildcard certificate):
        rhodecode.yourcompany.com (match your DNS configuration)
        gist.yourcompany.com (match your DNS & RhodeCode configuration)
Real Webservers for path '/':
    [x] RhodeCode (created in step 2)
Firewall: RhodeCode (created in step 1)
--------------------------------------------------
4. Firewall Profiles -> Exceptions
--------------------------------------------------
Name: RhodeCode exceptions (can be anything)
Skip these checks:
    [ ] Cookie signing
    [ ] Static URL Hardening
    [ ] Form hardening
    [x] Antivirus scanning
    [x] True file type control
    [ ] Block clients with bad reputation
Skip these categories:
    [ ] Protocol violations
    [x] Protocol anomalies
    [x] Request limits
    [ ] HTTP policy
    [ ] Bad robots
    [ ] Generic attacks
    [ ] SQL injection attacks
    [ ] XSS attacks
    [ ] Tight security
    [ ] Trojans
    [x] Outbound
Virtual Webservers:
    [x] RhodeCode (created in step 3)
For All Requests:
    Web requests matching this pattern:
        /_channelstream/ws
        /Repository1/*
        /Repository2/*
        /Repository3/*