The following is a brainstorming on how to configure an OUTGOING WAF - so a whitelist of all allowed hostnames which are allowed to be connected via HTTP(S). So explicitly missing are additional port openings for e.g. SSH connections, AUTH providers or to allow e.g. downloads from GitHub not via HTTPS but via ssh+git.
The main idea is that one system hosts TYPO3, one system creates and deploys TYPO3 and the latter is perhaps a Docker based Gitlab Runner.
- TYPO3-Production (the actual webserver)
- TYPO3-Hosting and Updates
- TYPO3-Deployment (the system doing the composer install)
- TYPO3-Hosting and Updates
- Package Manager Composer