Network policies
There are six types of MiCADO network security policy.
Passthrough
tosca.policies.Security.MiCADO.Network.Passthrough
Pass through network policy. Specifies no additional filtering, no application-level firewall on the nodes.
L7Proxy
tosca.policies.Security.MiCADO.Network.L7Proxy
Apply application-level firewall; can provide TLS control. No protocol enforcement.
Properties
properties:
encryption:
type: boolean
description: Specifies if encryption should be used
required: true
encryption_key:
type: string
description: The key file for TLS encryption as unencrypted .PEM
required: false
encryption_cert:
type: string
description: The cert file for TLS encryption as .PEM
required: false
encryption_offload:
type: string
description: Controls whether connection should be re-encrypted server side
required: false
encryption_cipher:
type: string
description: Specifies allowed ciphers client side during TLS handshake
required: false
SMTP Proxy
tosca.policies.Security.MiCADO.Network.SmtpProxy
Enforce SMTP protocol, can provide TLS control.
Properties
properties:
relay_check:
type: boolean
description: Toggle relay checking
required: true
permit_percent_hack:
type: boolean
description: Allow the % symbol in the local part of an email address
required: false
error_soft:
type: boolean
description: Return a soft error when recipient filter does not match
required: false
relay_domains:
type: list
description: Domain mails are accepted for use postfix style lists
required: false
permit_exclamation_mark:
type: boolean
description: Allow the ! symbol in the local part of an email address
required: false
relay_domains_matcher_whitelist:
type: list
description: Domains mails accepted based on list of regex (precedence)
required: false
relay_domains_matcher_blacklist:
type: list
description: Domain mails rejected based on list of regular expressions
required: false
sender_matcher_whitelist:
type: list
description: Sender addresses accepted based on list of regex (precedence)
required: false
sender_matcher_blacklist:
type: list
description: Sender addresses rejected based on list of regex
required: false
recipient_matcher_whitelist:
type: list
description: Recipient addresses accepted based on list of regex (precedence)
required: false
recipient_matcher_blacklist:
type: list
description: Recipient addresses rejected based on list of regex
required: false
autodetect_domain_from:
type: string
description: Let Zorp autodetect firewall domain name and write to received line
constraints:
- valid_values: ["mailname", "fqdn"]
required: false
append_domain:
type: string
description: Domain to append to email addresses which do not specify a domain
required: false
permit_omission_of_angle_brackets:
type: boolean
description: Permit MAIL From and RCPT To params without normally required brackets
required: false
interval_transfer_noop:
type: integer
description: Interval between two NOOP commands sent to server while waiting for stack proxy results
required: false
resolve_host:
type: boolean
description: Resolve client host from IP address and write to received line
required: false
permit_long_responses:
type: boolean
description: Permit overly long responses as some MTAs include variable parts in responses
required: false
max_auth_request_length:
type: integer
description: Maximum allowed length of a request during SASL style authentication
required: false
max_response_length:
type: integer
description: Maximum allowed line length of server response
required: false
unconnected_response_code:
type: integer
description: Error code sent to client if connecting to server fails
required: false
add_received_header:
type: boolean
description: Add a received header into the email messages transferred by proxy
required: false
domain_name:
type: string
description: Fix a domain name into added receive line. add_received_header must be true
required: false
tls_passthrough:
type: boolean
description: Change to passthrough mode
required: false
extensions:
type: list
description: Allowed ESMTP extensions, indexed by extension verb
required: false
require_crlf:
type: boolean
description: Specify whether proxy should enforce valid CRLF line terminations
required: false
timeout:
type: integer
description: Timeout in ms - if no packet arrives, connection is dropped
required: false
max_request_length:
type: integer
description: Maximum allowed line length of client requests
required: false
permit_unknown_command:
type: boolean
description: Enable unknown commands
required: false
HTTP Proxy
tosca.policies.Security.MiCADO.Network.HttpProxy
Enforce HTTP protocol, can provide TLS control.
Properties
properties:
max_keepalive_requests:
type: integer
description: Max number of requests allowed in a single session
required: false
permit_proxy_requests:
type: boolean
description: Allow proxy type requests in transparent mode
required: false
reset_on_close:
type: boolean
description: If connection is terminated without a proxy generated error, send an RST instead of a normal close
required: false
permit_unicode_url:
type: boolean
description: Allow unicode characters in URLs encoded as u'
required: false
permit_server_requests:
type: boolean
description: Allow server type requests in non transparent mode
required: false
max_hostname_length:
type: integer
description: Maximum allowed length of hostname field in URLs
required: false
parent_proxy:
type: string
description: Address or hostname of parent proxy to be connected
required: false
permit_ftp_over_http:
type: boolean
description: Allow processing FTP URLs in non transparent mode
required: false
parent_proxy_port:
type: integer
description: Port of parent proxy to be connected
required: false
permit_http09_responses:
type: boolean
description: Allow server responses to use limited HTTP 0 9 protocol
required: false
rewrite_host_header:
type: boolean
description: Rewrite host header in requests when URL redirection occurs
required: false
max_line_length:
type: integer
description: Maximum allowed length of lines in requests and responses
required: false
max_chunk_length:
type: integer
description: Maximum allowed length of a single chunk when using chunked transer encoding
required: false
strict_header_checking_action:
type: string
description: Specify Zorp action if non rfc or unknown header in communication
constraints:
- valid_values: ["accept", "drop", "abort"]
required: false
non_transparent_ports:
type: list
description: List of ports that non transparent requests may use
required: false
strict_header_checking:
type: boolean
description: Require RFC conformant HTTP headers
required: false
max_auth_time:
type: integer
description: Force new auth request from client browser after time in seconds
required: false
max_url_length:
type: integer
description: Maximum allowed length of URL in a request
required: false
timeout_request:
type: integer
description: Time to wait for a request to arrive from client
required: false
rerequest_attempts:
type: integer
description: Control number of attempts proxy takes to send request to server
required: false
error_status:
type: integer
description: On error, Zorp uses this as status code of HTTP response
required: false
keep_persistent:
type: boolean
description: Try to keep connection to client persistent, even if unsupported
required: false
error_files_directory:
type: string
description: Location of HTTP error messages
required: false
max_header_lines:
type: integer
description: Maximum number of eader lines allowed in requests and responses
required: false
use_canonicalized_urls:
type: boolean
description: Enable canonicalization - converts URLs to canonical form
required: false
max_body_length:
type: integer
description: Maximum allowed length of HTTP request or response body
required: false
require_host_header:
type: boolean
description: Require presence of host header
required: false
buffer_size:
type: integer
description: Size of I O buffer used to transfer entity bodies
required: false
permitted_responses:
type: list
description: Normative policy hash for HTTP responses indexed by HTTP method and response code
entry_schema:
description: dictionary (string/int)
type: map
required: false
transparent_mode:
type: boolean
description: Enable transparent mode for the proxy
required: false
permit_null_response:
type: boolean
description: Permit RFC incompliant responses with headers not terminated by CRLF, and not containing entity body
required: false
language:
type: string
description: Specify language of HTTP error pages displayed to client
required: false
default: English
error_silent:
type: boolean
description: Turns off verbose error reporting to HTTP client, making firewall fingerprinting more difficult
required: false
permitted_requests:
type: list
description: List of permitted HTTP methods indexed by verb
required: false
use_default_port_in_transparent_mode:
type: boolean
description: Enable use of default port in transparent mode
required: false
timeout_response:
type: integer
description: Time to wait for the HTTP status line to arrive from the server
required: false
permit_invalid_hex_escape:
type: boolean
description: Allow invalid hexadecimal escaping in URLs
required: false
auth_cache_time:
type: integer
description: Caching authentication information time in seconds
required: false
timeout:
type: integer
description: General I O timeout in ms
required: false
default_port:
type: integer
description: Used in non transparent mode when URL does not contain a port number
required: false
default: 80
HTTP URI Filter Proxy
tosca.policies.Security.MiCADO.Network.HttpURIFilterProxy
Enforce HTTP protocol with regex URL filtering capabilities.
Properties
properties:
matcher_whitelist:
type: list
description: List of regex determining permitted access to a URL (precedence)
required: true
matcher_blacklist:
type: list
description: List of regex determining prohibited access to a URL
required: true
HTTP WebDAV Proxy
tosca.policies.Security.MiCADO.Network.HttpWebdavProxy
Enforce HTTP protocol with request methods for WebDAV. This proxy has no additional properties.