Reading over the docs I think I have a good idea of how to setup the web server security:
1) Internal IP on the actual webserver
2) NAT rule for external IP to the internal
3) Create the real/virtual web servers using the internal IP
4) Set the domain being used
I have some questions though. Can I avoid using a separate internal IP on the web server and use the external IP I already allocated to it, or does this require NAT? My DNS still points to the external IP being NAT'd, and the proxy just filters this automatically? Also, if I specify the root domain in the domains list does this cover subdomains as well or do these need to be added manually?
you don't need to do NAT with "webserver protection" for inside webservers the subdomains have to be configured like virtual servers corresponding to real servers inside.
My "internal" network on the UTM is a routed /28 public IP block. Are you saying that the DNS for my domain needs to point to the IP that is bound to the UTM?
Ahh gotcha. One final question regarding the level of protection by this.. I'm guessing this offers more protection than when normal traffic passing through the IPS to an external facing web server? Or does this essentially just catch the same stuff?
you can see "firewall profile" section on in "webserver protection''. those features works well very nice fature is that your ip cannot more used by the outside browser like http://8.8.8.8. This ip will accept only urls that points to 8.8.8.8 [:)]
Yes, a lot more in addition to IPS. Webserver Protection helps secure against SQL Injection and Cross-Site Scripting as well as offering other protections. The help for 'Firewall Profiles' in that section will give you a better idea.
It sounds like your current configuration is, in essence, a DMZ with public IPs that your ISP routes to via an IP on your External interface. My recommendation would be a two-step approach to move the pulic IPs to the Astaro and :
[LIST=1]
Move the servers to a private IP range, put their public IPs on the External interface as Additional Addresses and put DNATs in place to route them to the new private IPs. Have your ISP change their gateway for the subnet to the same as for your primary IP.
Set up Real Servers for each new physical private IP, and configure one or more Firewall Profiles if needed. One-by-one, for each DNAT/Real Server, configure one or more virtual servers, activate them, disable the related DNAT and test. Adjust the configuration before moving on to the next DNAT.
[/LIST] Lets us know how you decide to do it and any recommendations you'd make.
Cheers - Bob
Sophos UTM Community Moderator Sophos Certified Architect - UTM Sophos Certified Engineer - XG Gold Solution Partner since 2005
Decided to take one of the IPs from my /28 and create a listing under "additional addresses" for it as a /32 as I wanted to keep the inbound connections to my domain from being directed to my primary routed UTM IP (I know it makes no difference really but it is easier to track in my internal records). Created a static DNS entry for the hostname used in the real webserver area pointing to the internal IP of my web server, and created the virtual server using a test subdomain and "pass host header" checked as Apache wasn't picking up the right vhost otherwise. Seems to be good and I see my connections through the live log.
Got another question here.. I've noticed in the web server logs on the real server, the source IP reported for inbound connections is showing the gateway IP of the UTM obviously as it is proxying the traffic. Is there a way around this? It isn't critical but for log auditing purposes I wouldn't mind having the original source IP listed. I've already got the pass host header option enabled so that my vhosts worked correctly.
Quote