Skip to content

Instantly share code, notes, and snippets.

@jpmschuler

jpmschuler/TYPO3-Firewall-WAF-Rules.md

Last active December 16, 2021 22:37
Show Gist options
  • Save jpmschuler/21245c3267c0bc3a7960fb15f7bd63a6 to your computer and use it in GitHub Desktop.
Save jpmschuler/21245c3267c0bc3a7960fb15f7bd63a6 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
TYPO3-Firewall-WAF-Rules.md

The following is a brainstorming on how to configure an OUTGOING WAF - so a whitelist of all allowed hostnames which are allowed to be connected via HTTP(S). So explicitly missing are additional port openings for e.g. SSH connections, AUTH providers or to allow e.g. downloads from GitHub not via HTTPS but via ssh+git.

The main idea is that one system hosts TYPO3, one system creates and deploys TYPO3 and the latter is perhaps a Docker based Gitlab Runner.

Rule-Groups

  • TYPO3-Production (the actual webserver)
    • TYPO3-Hosting and Updates
  • TYPO3-Deployment (the system doing the composer install)
    • TYPO3-Hosting and Updates
    • Package Manager Composer
    • (optional) TYPO3-Private-3rdParty Repositories
    • (optional) Package Manager NPM/Node.JS
  • GitLab-CI/CD-Runner (the system running the docker machine via Gitlab Runner)
    • Docker-HUB
    • Linux-Repo: GitLab-Runner
    • GitLab-Instance

Rule: TYPO3-Hosting and Updates

Depending on version TYPO3 and deployment strategy this might/should even be unnecessary, but this would cover

  • backend reports checking if there is a TYPO3 update available.
  • the l10n packages for language updates
  • the TER for non-composer installs wildcard to make things easier.
  • ^https://([A-Za-z0-9.-]*.)?typo3.org/

Rule: Package Manager Composer

Composer is used to gather the TYPO3 packages. Composer uses Packagist to gather packets from common hosters like GitHub, GitLab, Bitbucket - this should cover the most common stuff. This of course is the most open rule, but that is how Packagist works.

  • https://getcomposer.org/
  • https://([A-Za-z0-9.-]*.)packagist.org/
  • ^https://([A-Za-z0-9.-]*.)?github.com/
  • ^https://([A-Za-z0-9.-]*.)?githubusercontent.com/
  • ^https://([A-Za-z0-9.-]*.)?gitlab.com/
  • ^https://([A-Za-z0-9.-]*.)?bitbucket.org/

Rule: TYPO3-Private-3rdParty Repositories

Additional URLs for private paackages or for packages self-hosted by the dev on a non-typical server, e.g.

Rule: GitLab-Instace

Ad we want to register our runner to the GitLab instance this must be defined, as it is done via https, e.g.

Rule: Linux-Repo: GitLab-Runner

Package repository to install Gitlab Runner on e.g. ubuntu

Rule: Docker-HUB

Download of Docker-Images by the GitLab Runner - needs access to docker hub, docker registry and registry download servers, wildcard won't really hurt here

  • ^https://([A-Za-z0-9.-]*.)?docker.com/
  • ^https://([A-Za-z0-9.-]*.)?docker.io/

Rule: Package Manager NPM/Node.JS

Node might be used additionally for build and CI tools. Node stores the package copies on their own servers, so just one url

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment